23542300x8000000000000000290946Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:11.829{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B40CE85AEB2B6028DDF48F1CFA39AF,SHA256=EC983CF9DE57317EC03504CC1C039F41D1DD659E13210C33F62E1885AC299DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439524Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:11.618{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8429A91B05AE3F832A294569EBADD68A,SHA256=DEC52E1D50D4671A55137B9485DEC6E26E6DCD13C454B5F12DF7B7C51A894E6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439523Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:11.024{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439522Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:11.024{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439527Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:12.850{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ACB277B91691AE60884EF9FD476ADEA,SHA256=1C42C5749D470F25E15F61D1ED09B06A10C6D1FF300D97A6D5375A73D3DE5AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290947Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:12.833{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41DF5C8E7AA75DF762DEF9D773C239B0,SHA256=BADEE0E67C226CB780BD8DC8D13079107060CB13ECA5CEA905B45487390BCC28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439526Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:12.025{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439525Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:12.025{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290948Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:13.837{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF10C5E3BE5934F70BAB0616FB86A5E6,SHA256=FDA7EA86DD0C66852F97FD85386AC615638B9F3651F0793DEA85DF8CCC990196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439530Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:13.060{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E907B4687D3ACE9042A52D2E575FF9C,SHA256=AD03A20EFB0F69E5899B684BB2C5A102F4E114D2D2B7BC255555D3201D9C624B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439529Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:13.026{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439528Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:13.026{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290953Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:14.854{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83B42EA2F215D89DC1C05FA2DBE3B85,SHA256=48BC57C1998D81A0327D2338C79891BBB5473E8ABC5EA8BCA62BD19BA28E3EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290952Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:14.854{BEA10069-D0C2-6086-1300-00000000BB01}344NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E495CDC2CCA665E40B183055BF132ACC,SHA256=C25A5CB7D9A67F4A2495E4E1A4B9C598D357DDBEE85AF7A7AF8030CBAAA16D99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439535Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:10.280{42DC5269-CE8E-6086-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-932.attackrange.local138netbios-dgm 354300x8000000000000000439534Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:10.280{42DC5269-CE8E-6086-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-932.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000439533Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:14.057{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DB1EBB9438DDFBCCC0E355C7279DB6,SHA256=FD99C04FDDB306D1CE7DBF39523E57692C4CD682FFCFB579EE19211AAEDE8884,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290951Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:12.411{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50585-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000290950Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:14.134{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E9072E759B11458B49C08778B8D15E9,SHA256=34EEDB9660025D8B125CABA10AF4887EEFFD0DE4A426D996119BA06C63D4498F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290949Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:14.133{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6C087069083424C1F508CF243D1BF99,SHA256=3E72FBEE313F33A14BA072650DFE88A457E698D5898C897600D2171E33BE711C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439532Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:14.027{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439531Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:14.027{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290954Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:15.887{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63447CB136F707100A1FEC457E5F047,SHA256=1CEA7046A93CB20AADD6F683C29AA58C573468819354825114FF1D96867D4E7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439540Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:12.625{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62363-false10.0.1.12-8000- 23542300x8000000000000000439539Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:15.289{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418A14579D5CEE64A7717B0213F63CA4,SHA256=117343CC239E5D06893E0A34D6207AADA11A942F3EE425B8508A672F8F7B2EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439538Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:15.189{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B6866AAEE4354076823B735D0E4110C,SHA256=CCBEE4CDC117762134095755E78BD761EADB8945FB02A92590E482DB08F5E0A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439537Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:15.028{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439536Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:15.028{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290955Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:16.905{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0619D3389B8C4B3BEFA3F1B59AC9A164,SHA256=A67A6A52A48161BA20F5256C1760D16DDDA4405442170A26A0EC4855D0F00700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439543Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:16.294{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B378F67E8860CFC8E70F0678E227B3B7,SHA256=278E3E883081E8E160BBC962496DE089466F0D6D97AC2CDE4BAEE2E9C9D2C519,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439542Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:16.029{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439541Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:16.029{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290956Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:17.907{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB4325D0C4C91250E22F32523DC8C97,SHA256=AE8856302D50F17226F20C2C8452485D6D32497745BB9CDB69CDF3725C7601F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439546Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:17.304{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC0F853633A604933D749948803E558,SHA256=B7CE00931B7FE6374E998C3C9513C01C1FD775871F7B98DB72C54A176AEDF192,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439545Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:17.030{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439544Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:17.030{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290957Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:18.944{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F27AAC7C29A3A7E28ECAD7505391472,SHA256=065A5B3595A7C1847E8C763A77B74E161049F24CCD311D79C728C78B582FFFEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439549Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:18.314{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A32148AAA38F21D26F0897CF6B9DC71,SHA256=5B548302D0948123B83EB7B637F847BDB8747E5725F6C85205AA0F82B5846488,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439548Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:18.031{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439547Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:18.031{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290958Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:19.946{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DD535B4A1A86937F7E36D429D3196F,SHA256=92AFC52591BEE7B9A79572EA379A53CD6150E9FA109189F91D83A05AB940B5DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439552Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:19.324{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F685FF91AEACA4A08A22ABF900A3D2F,SHA256=70D2134E7A2D9B55E01D4590AA210E61251D82F447DCF2A7885BA9F520D3FC30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439551Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:19.032{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439550Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:19.032{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439555Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:20.557{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A496612372A5A61586BE40F9E7336FF1,SHA256=E875301809E0B00E320DD2CBF90BC7256D6F72C9B11EC3EBA9A485EB48E1A89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290963Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:20.967{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D17CA3495AEA4EF801EE6CF1042DC0,SHA256=58EFDCC59F57F32C63529918474FC78752020F953F1AF9E605C985613734380C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290962Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:18.723{BEA10069-187E-6087-4F0E-00000000BB01}3388C:\Windows\SysWOW64\rundll32.exeWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50587-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x8000000000000000290961Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:18.391{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50586-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000290960Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:20.096{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CDDB808BCFBB8055EF191CAC2D30804,SHA256=94C56ECB73584699AA0713D1F5CD1DD87BDEF2F23CBFF575BE9436F94F65AE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290959Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:20.096{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E9072E759B11458B49C08778B8D15E9,SHA256=34EEDB9660025D8B125CABA10AF4887EEFFD0DE4A426D996119BA06C63D4498F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439554Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:20.033{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439553Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:20.033{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000439562Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:18.506{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62364-false10.0.1.12-8000- 23542300x8000000000000000439561Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:21.929{42DC5269-CF3C-6086-AA00-00000000BA01}4168NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=1385DDF0A626EB1FF1FAEF0A6E1E1E19,SHA256=D3A04D6A86810FFAE54532D83A4C2D8246C33C9E5E1AB8193B89366C377D56F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439560Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:21.791{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE2A1EA11CB7CDBC633F62AB6EE3F96,SHA256=7A1C49452830EF478E03C3B62C1C967DA97410649954078FDC61F3E2E4C4C3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290964Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:21.969{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE010E5C3EF05ADB28E2F3DF3405BF1B,SHA256=12DDCD0E35F590C019121F9B10386B977C798F9FBDC666F718DB1E9BDA9641C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439559Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:21.056{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6151607716FD2C34EDBF385533733A61,SHA256=A930392A02B7E93F2F44B918443AE236782268980EF65D6BF5AC0D5B055421BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439558Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:21.055{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13013E805ACDF46164703933C0D6FB50,SHA256=5360357A50E5E455455901030204368DA8B69C4B155550B8E0B4E1316942173C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439557Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:21.034{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439556Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:21.034{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000290979Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.971{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D35E675A24C579E843FEEBE2B3809F,SHA256=2CF3E87A36B630A577E034A647CCF195F274484652093DEE3ED9449E29002BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439565Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:22.934{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6151607716FD2C34EDBF385533733A61,SHA256=A930392A02B7E93F2F44B918443AE236782268980EF65D6BF5AC0D5B055421BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439564Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:22.035{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439563Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:22.035{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290978Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.802{BEA10069-01C2-6088-E729-00000000BB01}3886976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290977Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01C2-6088-E729-00000000BB01}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290976Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290975Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290974Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290973Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290972Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290971Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290970Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290969Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290968Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290967Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-01C2-6088-E729-00000000BB01}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000290966Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01C2-6088-E729-00000000BB01}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000290965Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:22.671{BEA10069-01C2-6088-E729-00000000BB01}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291009Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.989{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BF895B4E2E6CE6281F4DED4CE522F6,SHA256=046B6515A5D709BD0813A0588C06ABDDC5A4898537926FA175810AFA36EE74FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439569Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:20.382{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62365-false10.0.1.12-8089- 10341000x8000000000000000439568Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:23.036{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439567Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:23.036{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439566Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:23.022{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84873DA351BBA800F456E9AA56FA7242,SHA256=3E9778B7AE969E5E6AFBD823EC083D3345E3ABB56EDFC084A66A042701045625,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291008Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.920{BEA10069-01C3-6088-E929-00000000BB01}67641504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291007Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01C3-6088-E929-00000000BB01}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291006Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291005Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291004Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291003Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291002Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291001Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291000Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290999Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290998Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290997Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D0C1-6086-0500-00000000BB01}416532C:\Windows\system32\csrss.exe{BEA10069-01C3-6088-E929-00000000BB01}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000290996Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01C3-6088-E929-00000000BB01}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000290995Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.789{BEA10069-01C3-6088-E929-00000000BB01}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290994Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.673{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CDDB808BCFBB8055EF191CAC2D30804,SHA256=94C56ECB73584699AA0713D1F5CD1DD87BDEF2F23CBFF575BE9436F94F65AE34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290993Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.319{BEA10069-01C3-6088-E829-00000000BB01}58925764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290992Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01C3-6088-E829-00000000BB01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290991Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290990Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290989Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290988Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290987Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290986Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290985Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290984Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290983Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290982Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-01C3-6088-E829-00000000BB01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000290981Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.187{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01C3-6088-E829-00000000BB01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000290980Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:23.189{BEA10069-01C3-6088-E829-00000000BB01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291025Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.991{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A176E45C2D53D3466196B2E14258BEF,SHA256=AB45A59748D6ECBDD1FB5EFE172C832EBC491FB5F52C5B094463FB2065E8530E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439572Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:24.045{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57863293B085F9D1F2434DC195427915,SHA256=7DAA4961730326C6955C7C14336EBAA1D75A2734E418CA40E8C3576CE4EB97C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291024Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.806{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5B7A99FAFF2DE3CF80DCE80C7DA02A3,SHA256=40647D163EFC2180D0A99E1DD9B52221358D1D925C184C8E6C7F73469FF22045,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291023Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.590{BEA10069-01C4-6088-EA29-00000000BB01}38406104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291022Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.458{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01C4-6088-EA29-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291021Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.458{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291020Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.458{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291019Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.458{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291018Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.458{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291017Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.458{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291016Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.458{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291015Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.457{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291014Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.457{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291013Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.457{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291012Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.457{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-01C4-6088-EA29-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291011Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.457{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01C4-6088-EA29-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291010Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.453{BEA10069-01C4-6088-EA29-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000439571Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:24.037{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439570Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:24.037{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439576Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:25.987{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B967B9455E75C56CD54C6E7B3A769F4,SHA256=5B003702858206977C5F760B343C2DCE25CC23A38D154D4BB5246CE984ADA0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439575Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:25.057{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F811FA29A8FE1DCDAC68EFCA71B4A5,SHA256=36BB6E9EB7376340C49D902DC1AC2159633F50D1DEDA5F5A345797E193330B77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291051Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01C5-6088-EC29-00000000BB01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291050Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291049Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291048Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291047Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291046Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291045Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291044Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291043Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291042Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291041Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D0C1-6086-0500-00000000BB01}416432C:\Windows\system32\csrss.exe{BEA10069-01C5-6088-EC29-00000000BB01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291040Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01C5-6088-EC29-00000000BB01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291039Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.777{BEA10069-01C5-6088-EC29-00000000BB01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291038Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01C5-6088-EB29-00000000BB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291037Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291036Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291035Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291034Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291033Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291032Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291031Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291030Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291029Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291028Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-01C5-6088-EB29-00000000BB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291027Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.091{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01C5-6088-EB29-00000000BB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291026Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:25.092{BEA10069-01C5-6088-EB29-00000000BB01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000439574Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:25.038{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439573Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:25.038{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000439583Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:23.627{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62367-false10.0.1.12-8000- 354300x8000000000000000439582Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:23.223{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local62366-true0:0:0:0:0:0:0:1win-dc-932.attackrange.local389ldap 354300x8000000000000000439581Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:23.223{42DC5269-CEA9-6086-2300-00000000BA01}2704C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local62366-true0:0:0:0:0:0:0:1win-dc-932.attackrange.local389ldap 13241300x8000000000000000439580Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:21:26.166{42DC5269-CE99-6086-1100-00000000BA01}340C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d73b5f-0xd7f2e269) 23542300x8000000000000000439579Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:26.073{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0143F4E5B16A603D2A5581BADC3ADD3F,SHA256=8B92111DA440460BEB45740586EB1F309C9A262C3ACEE52BDBC6CE481A1F1E6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291067Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:24.406{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50588-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000291066Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01C6-6088-ED29-00000000BB01}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291065Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291064Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291063Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291062Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291061Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291060Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291059Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.462{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291058Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.461{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291057Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.461{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291056Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.461{BEA10069-D0C1-6086-0500-00000000BB01}416952C:\Windows\system32\csrss.exe{BEA10069-01C6-6088-ED29-00000000BB01}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000291055Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.461{BEA10069-D13E-6086-9900-00000000BB01}4082600C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{BEA10069-01C6-6088-ED29-00000000BB01}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000291054Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.457{BEA10069-01C6-6088-ED29-00000000BB01}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{BEA10069-D0C1-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291053Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.193{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7277D959B3293180A708797BF2EA4119,SHA256=ECA3011F16CC462F621CDDF802C80E58546B405A0EF41D2508751CDF49D6E58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291052Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:26.193{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48FFB206A55924456D5DB2E5012FC4A9,SHA256=AEA0209D27BF1BFF7A2F09D35F4869B9B6AD12317D07A09F8EF6486847908704,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439578Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:26.039{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439577Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:26.039{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439587Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:27.296{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14D1251D393FDD92EDD432220C32CAD,SHA256=B5AF26AA1054379B29119BAF3B5AC1FE126EBC9594C26A4396B4A66708FD4C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439586Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:27.295{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D57B9CD8F4E1F2C489EAD039D4D76A6,SHA256=EDD55FDF9EF6E7DFD7B8A5D053180526160251EB205C0ED5FC937BDC373D54AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291069Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:27.496{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2C9BC83AB106AC63F5CA35B5A02AC9E,SHA256=0FD50E1214204D8F3B1C7AF7CF98C868B9D9CE90E7406AE62948E41B5D2B485E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291068Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:27.195{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A21DF715EEC105577A927D8E1D68F68,SHA256=0633B6067CF8152A740EC9A901B35BF815928792624FFB64F754DD2068CB7493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439585Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:27.040{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439584Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:27.040{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439591Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:28.306{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D66A9BF09BE0BBFEEFF227F5AB8CEB,SHA256=0426705C999CADDEA3D26FFB6307ECC58B43798B6802914E125774186F2B1046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291070Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:28.197{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B99C7BC28A855BA94BFE4A4A1588BF0,SHA256=376A6FF3B9F49EB3C8E998FB502456453786C6438C6A0A8FC099F61434B8FB41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439590Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:24.567{42DC5269-CE99-6086-1100-00000000BA01}340C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-932.attackrange.local123ntpfalse13.86.101.172-123ntp 10341000x8000000000000000439589Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:28.041{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439588Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:28.041{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439594Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:29.317{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59915C3B2F71D1A661AC0B499A1A1319,SHA256=BEDCC5E716FB3056E390FBF6602FA57991C84F98D90E42FA42A75D96DE2D23D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291071Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:29.199{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BB77FF3CF86F81D4A91F5D1C396DBC,SHA256=5A92CA33103F17E54EB921BB726D9D5F5368033EEC59F800353C75EC5FD5A43E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439593Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:29.042{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439592Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:29.042{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439597Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:30.545{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F748B8D9D27F6D9DA4B14E14DF53E1,SHA256=88774C890B17BCF354BF404E1120D83BB7A062214519EC8944114FFFF5711BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291072Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:30.265{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CF9C1E60539F3F27168D2669A069C2,SHA256=22C1A654782728743961FCF0284226E644C050156D5133CD001541B77EB8A3C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439596Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:30.043{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439595Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:30.043{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291073Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:31.319{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A872BC151E58061EF7F80F39058BD7,SHA256=F9B694D501A5816DAB46B2F330E5DEBF9969F574B7CC0AC347246C9A78F4C779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439600Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:31.566{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66935DED1B46A3A29129455696FDE23,SHA256=A2273E5771AA759658AFCCD8A117B2C8455E61948C8A31A8B23FE2FE4940F0C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439599Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:31.044{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439598Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:31.044{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291075Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:32.337{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146C06EE4194CC0E7F9CF2BD83BF05DB,SHA256=59E3DCB41CE5A1ACA9B2598F4BCBBD6F748EB2BB0771C4E3F44E5AE3A896CD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439604Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:32.569{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77C63185B6D690B2F86CC2495A03DFD,SHA256=79046508EA2222F7B7EAA94E5D3990FDC0E2C66B11C3EEAE6858119F68F34FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291074Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:32.236{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50DEF5BAD66675085E218DE2FC677F57,SHA256=D25E960EAD5DBAFD4FDA069DE8E244A63AA311EF53998E246BE1ECEAE6DA5D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439603Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:32.275{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E85FFD27DD5E8B3823021913A3838F5,SHA256=EACBB817ABEA59E5CD761F1187E1820490CF070C99B7D290C04100E37E79DF7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439602Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:32.045{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439601Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:32.045{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439608Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:33.591{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E9A2C4BC5CBAAD3A994B3942367D27,SHA256=CE09B9DF49F70D87EE5566F20F1A4069156B6E2CCE2503C73433AF79EC13B701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291077Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:33.372{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3817183113D055969ECF862CAF96AE39,SHA256=AEC0942203A0B96D34D70A84704174460E9E3586B8D66A74AF509CA6032CCD61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291076Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:30.446{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50589-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000439607Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:29.508{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62368-false10.0.1.12-8000- 10341000x8000000000000000439606Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:33.045{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439605Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:33.045{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439611Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:34.608{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095E09F48758F35D92EEB3D1897015AF,SHA256=9BBB96F3DEFACE6B222BA31E7791A5B475428EC9AEEA059C8C5D81DE796B9D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291078Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:34.375{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BABE6E9EC2E0C7EDD1B1AC0F353142D3,SHA256=1609A1540633A82E630C27DBEEF0335EB7B4C9D3564C9ADD8C6EC860A298EC97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439610Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:34.046{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439609Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:34.046{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439614Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:35.841{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437FBC1D69DB765907961813CD3736DB,SHA256=A51452142F31C851B1A2E6E0358ADBA19793853FAA2D5AB34730E41E5EDD2245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291079Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:35.396{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E9C38FC88413D5B0A946104D56764E,SHA256=7C95D8392E90708E0371E0F0C48533AE0D3468F1ED22A68E30A81F93821E2BD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439613Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:35.047{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439612Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:35.047{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291080Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:36.429{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632BC586C5A1FA9C5CD1D6206751A846,SHA256=80ED3D93410EFEDC40E867149E47D942A402F09B99A6B12425356BFA0CD7B5AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439616Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:36.048{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439615Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:36.048{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291081Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:37.431{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF17749B1FAFB99A6CB4CB0F85B0CA55,SHA256=88011E51334A7D22DE21A734010D8E78C8E7E465660DD51AE6F7C9AC24E725F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439620Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:37.178{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EC3CF9453D56EA164040EB933D218F8,SHA256=279D5C2180AB943233B86F92C492BA333DF920112F21FEED4E068B3731563295,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439619Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:37.048{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439618Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:37.048{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439617Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:37.047{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA15303B1B99225492412F7396E941F2,SHA256=C9B59C1911FBAD5D408E02982E33C2F78F8B805EA5AFFE8647D7E06D52690EFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291085Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:36.376{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50590-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291084Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:38.433{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0605A831B7C9757D50C84F00C59BD234,SHA256=A295A743FBBD6614A6205DA39D2440B61E075573D87F53C996918B26659839AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439624Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:34.631{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62369-false10.0.1.12-8000- 23542300x8000000000000000439623Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:38.058{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242FE6C36222AE237B309437B5725C79,SHA256=FCD7BFF6182D7792BDB7235F3A71CC850B05DDA876783AE539B132E11A326596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291083Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:38.101{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7F933314535AB2C4450A1B22A81ADD5,SHA256=17C81974BCCCF0B0808CB76D4FEE7487CFBCA9E2210850022E6359CC6984D336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291082Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:38.101{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D62068294518B2454EFF4D6D4368E1B,SHA256=501565218DF38D9E1C565B5016A1BD62C77342E4AAFF8D6E2D84010FBF20FEA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439622Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:38.049{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439621Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:38.049{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291086Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:39.451{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D168C33A1F25D54520A13001BB29DCA,SHA256=C2E5528E6DB56F67C154F7860F03207785D700F20D9B109746C9096D684168A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439627Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:39.073{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DAF1BF470CF90B235D7BC75F1DFA76,SHA256=855050924898715FF0854800E0ECFAD16F56C44417B0EE7AEF6A882303FEEAF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439626Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:39.050{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439625Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:39.050{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291087Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:40.453{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E059F49813938A12A38C0F2FEA2BC753,SHA256=B50CD308B66F355F352F8CE66D53E8A8990CD89D2C96ED39BFCC1FBE89B85227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439630Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:40.089{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48454134B6DCAFDA827A12606BB7724,SHA256=3BF9DF6144F17B264C74699D04C0C82487F70EF1DD61FE259D3FD10B1060AAFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439629Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:40.051{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439628Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:40.051{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291088Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:41.455{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB1ABFF7B16741AFCF607C004F4CD8B,SHA256=04EEE627D66F2540C9366D4C8741256ED11FD06EAFD448EAABD49859BB5D289B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439635Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:41.294{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=284227B66B09507C2C548A0172DB62D3,SHA256=9D1FC05492A360A0E8EA699DB71DE8C7517329D4FB35C76EE687923B9EF01514,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439634Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:38.519{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local49980- 23542300x8000000000000000439633Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:41.103{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB76A4FCC3611C8B16BF118768A19AD2,SHA256=242FE54D06EBCC9DF42094348791B98B4F62685F4A626D3DA75D2C6C54ACCB0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439632Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:41.052{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439631Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:41.052{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291089Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:42.473{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A7FFEEA676CAF98F0C88EBA933916D,SHA256=8D3FA5B3D6CC666636F0C8E4D45591C79E4A27F50B0F978D436A778F2A5D2961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439638Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:42.109{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2736BD35104112635FC5917E88C117CC,SHA256=BAEAB5C0BE9EC1E4DA60A5C4161FA3A1B522D307A01832EB8E3489CDD4D50F72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439637Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:42.053{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439636Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:42.053{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291090Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:43.475{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C4D60CDB76BE00CF9426DA44C1046F,SHA256=C93B6388937A79D8ADB3CEF53595A8A547BDB66A43826DEDA82F1AB23EFE9BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439642Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:43.139{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDB4B62344774568194232EB523D12E,SHA256=1858D92B14FA9D4E543A5557ED6A0354703BB1B7F3904A9FE5480AB71E2F1E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439641Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:43.096{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEA6C8AF2F585100B2FF3C0693A51CC5,SHA256=A73880BB75907E588EAB19DAB334CB0CA13F13B3FA3A58E0F6936135FAC4663D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439640Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:43.054{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439639Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:43.054{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291093Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:44.515{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1776A9CB559121D27E0BF2BF5B283FE6,SHA256=1A3703DE24BEE7631F03222A5A4D89D4EF9262B1BAB2348CFE1347356CA1AC25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439646Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:40.510{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62370-false10.0.1.12-8000- 23542300x8000000000000000439645Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:44.143{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9F02BA4AC66065AB39C1D844B7485D,SHA256=53F33DB8073DCE859DCDA1E583FFD8C6CD00CB08B9212F4E4277FF847CA5FC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291092Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:44.130{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F597F6AC75FAEF395A4028F724E74C0B,SHA256=4669C4FBE126004A7BB4C1FB2864CC66F0A65093672B083F74FBDDDFFCF56705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291091Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:44.130{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7F933314535AB2C4450A1B22A81ADD5,SHA256=17C81974BCCCF0B0808CB76D4FEE7487CFBCA9E2210850022E6359CC6984D336,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439644Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:44.055{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439643Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:44.055{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291095Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:45.549{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCE1070D3EE86C474BE3FB342F21EDD,SHA256=C260D05BD22C195C10CE41E916AF1AABD7000EBF73F7B1A0A8A1204B4E1F7A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439649Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:45.356{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C7BB3F441D8FED55504B041D646EAB,SHA256=C1CA9F7355B5BCA99657E8F9B170488F41F066D02918227A8DC8C5F371E7B108,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291094Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:42.386{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50591-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000439648Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:45.055{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439647Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:45.055{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291096Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:46.551{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEE69128B6F04BE8D9914BAB14E2946,SHA256=D266AD9C05440AB8033FB6ACF7188F7090A1FF606CFC7BD03E33A5249E27EF20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439679Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.872{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-01DA-6088-AD28-00000000BA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439678Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.871{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439677Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.871{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439676Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.871{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439675Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.871{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439674Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.871{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439673Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.871{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439672Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.871{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439671Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.870{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439670Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.870{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439669Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.870{42DC5269-CE96-6086-0500-00000000BA01}412528C:\Windows\system32\csrss.exe{42DC5269-01DA-6088-AD28-00000000BA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000439668Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.870{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-01DA-6088-AD28-00000000BA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000439667Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.870{42DC5269-01DA-6088-AD28-00000000BA01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000439666Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.367{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC839608E8DBF97E3C2C86C710AAD35D,SHA256=3068834A9883C57FBF4589E45CD24393D39C68C61282810578B20C949B0F6CB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439665Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.345{42DC5269-01DA-6088-AC28-00000000BA01}30685640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439664Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.207{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-01DA-6088-AC28-00000000BA01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439663Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.206{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439662Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.206{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439661Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.206{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439660Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.206{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439659Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.205{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439658Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.205{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439657Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.205{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439656Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.205{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439655Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.205{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439654Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.205{42DC5269-CE96-6086-0500-00000000BA01}412368C:\Windows\system32\csrss.exe{42DC5269-01DA-6088-AC28-00000000BA01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000439653Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.205{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-01DA-6088-AC28-00000000BA01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000439652Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.204{42DC5269-01DA-6088-AC28-00000000BA01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000439651Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.056{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439650Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:46.056{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291097Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:47.584{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9353E0A4D2DD549C97922D1B46CDF6,SHA256=3CFE2933668F962CAEB7231D1E0BEFCD05C7657B32546CBCF8639ED993022E2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439697Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.553{42DC5269-01DB-6088-AE28-00000000BA01}33966960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439696Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.415{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-01DB-6088-AE28-00000000BA01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439695Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.414{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439694Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.414{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439693Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.414{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439692Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.414{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439691Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.414{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439690Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.413{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439689Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.413{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439688Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.413{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439687Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.413{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439686Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.413{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-01DB-6088-AE28-00000000BA01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000439685Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.413{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-01DB-6088-AE28-00000000BA01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000439684Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.412{42DC5269-01DB-6088-AE28-00000000BA01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000439683Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.397{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CDBDFD3ED0765E323BDEB307F6D359D,SHA256=8D3EDBC49148770F297F7F695C5F5DD858B5C4BAD163818C04AC1DEDA8AD1838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439682Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.379{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CF791308623260BA619ED1A7E3C1B1,SHA256=70C1E6AE910A41DD6682F9E11E2E37347DBFE18D0DAE9C4B68505D70091CA56B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439681Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.057{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439680Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:47.057{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439728Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.748{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-01DC-6088-B028-00000000BA01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439727Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.747{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439726Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.747{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439725Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.747{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439724Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.747{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439723Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.747{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439722Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.747{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439721Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.747{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439720Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.746{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439719Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.746{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439718Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.746{42DC5269-CE96-6086-0500-00000000BA01}412528C:\Windows\system32\csrss.exe{42DC5269-01DC-6088-B028-00000000BA01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000439717Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.746{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-01DC-6088-B028-00000000BA01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000439716Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.746{42DC5269-01DC-6088-B028-00000000BA01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000439715Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.562{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30457815DDC67C1960615654498F5D3F,SHA256=3A2F97205F7427FD8951CAF11003B3072657D55C75F5182D889C388884B4A025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291098Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:48.586{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BD54F75E4836FE3259DD9A41240A25,SHA256=CAA01375AC9A1F6272C91ED8E8B7EAEE348B8315C0DEDF2CC4373C4BC84C7D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439714Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.426{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C4695ECF2B15D737305AD1E5E4666B4,SHA256=996F90BCCA8A388B4E12528ED6D42EBE6F58D70A0A40FDD70F7E8FA23493D7D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439713Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.214{42DC5269-01DC-6088-AF28-00000000BA01}18526644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439712Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.081{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-01DC-6088-AF28-00000000BA01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439711Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.080{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439710Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.080{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439709Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.080{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439708Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.080{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439707Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.080{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439706Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.080{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439705Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.080{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439704Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.079{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439703Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.079{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439702Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.079{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-01DC-6088-AF28-00000000BA01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000439701Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.079{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-01DC-6088-AF28-00000000BA01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000439700Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.079{42DC5269-01DC-6088-AF28-00000000BA01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000439699Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.058{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439698Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:48.058{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439748Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.790{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=431088AEFBEF0766B402661568215A2F,SHA256=478BC95E4E3BEFD20AE2E2F1E53CE1F81773EDF573F5E75223027366041099FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291099Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:49.588{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745A55CE16ED807FE53739C0A94880ED,SHA256=3FF72B97E8950AF17FDEE468493328FEEFC3E600A980A98710BE09D2289E58FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439747Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.560{42DC5269-01DD-6088-B128-00000000BA01}67883824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439746Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.429{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-01DD-6088-B128-00000000BA01}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439745Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439744Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439743Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439742Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439741Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439740Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439739Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.428{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439738Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.427{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439737Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.427{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439736Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.427{42DC5269-CE96-6086-0500-00000000BA01}412528C:\Windows\system32\csrss.exe{42DC5269-01DD-6088-B128-00000000BA01}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000439735Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.427{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-01DD-6088-B128-00000000BA01}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000439734Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.426{42DC5269-01DD-6088-B128-00000000BA01}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000439733Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:45.789{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-932.attackrange.local58906-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x8000000000000000439732Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:45.789{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-932.attackrange.local64413- 354300x8000000000000000439731Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:45.650{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62371-false10.0.1.12-8000- 10341000x8000000000000000439730Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.059{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439729Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:49.059{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291103Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:50.590{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC937DF630E5A3C1D7DA5D391E82EEEC,SHA256=A8714AD9BC46C2992817E7B512135BBBF5F35C8BBAA6003F4ED3BDBB042604F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439764Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.087{42DC5269-CF3C-6086-AE00-00000000BA01}21884056C:\Windows\system32\conhost.exe{42DC5269-01DE-6088-B228-00000000BA01}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439763Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439762Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439761Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439760Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439759Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439758Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439757Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439756Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439755Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE98-6086-0C00-00000000BA01}8403440C:\Windows\system32\svchost.exe{42DC5269-CEA9-6086-2B00-00000000BA01}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439754Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.085{42DC5269-CE96-6086-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{42DC5269-01DE-6088-B228-00000000BA01}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000439753Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.084{42DC5269-CF3C-6086-AA00-00000000BA01}41684996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{42DC5269-01DE-6088-B228-00000000BA01}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000439752Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.084{42DC5269-01DE-6088-B228-00000000BA01}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{42DC5269-CE97-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{42DC5269-CF3C-6086-AA00-00000000BA01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000439751Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.083{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9F2A9366FA1B469EAB5286E73347B4,SHA256=A5C3972E3E7C786D128F270094218ABB5DBC108D78F9EB8C6AA2F4FA95369CAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439750Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.060{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439749Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:50.060{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000291102Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:48.352{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50592-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291101Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:50.107{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84F6662CA2CC937B9D4F1C2D1B9A5D98,SHA256=DBD93692C90A55BD5930869703D64D568730F601DB48DF6C3A7649D990718680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291100Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:50.106{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F597F6AC75FAEF395A4028F724E74C0B,SHA256=4669C4FBE126004A7BB4C1FB2864CC66F0A65093672B083F74FBDDDFFCF56705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291104Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:51.609{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299224E286050B76F708C68A39287EB3,SHA256=8D54356252211E987676C22755067056D9FABE885A923E74F571539ABEDDD195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439768Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:51.089{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B302EF86B5ECCFA2B5011331BDDC43B,SHA256=DC98C4158F13696BDB444D1BC01B6589BEE2AD7C66028322D9E9FD9F794B5B4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439767Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:51.061{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439766Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:51.061{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439765Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:51.022{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF40A6B0D3F4EA8A470C5F17937DC948,SHA256=B966CDFC9F6168B716EB219E6E108C27DE15F111E705A9614CEA284403164C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291105Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:52.613{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=109F8A969E429A1D9080BC795FBC332B,SHA256=0AFB4F83362337A42BFCA33AC1B1C75A0A53EF23BB4B6FDAACD0A9FC8A2EC18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439772Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:52.995{42DC5269-CE99-6086-1000-00000000BA01}364NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4AABBE7BF500B2F00D861BB94B1E36C0,SHA256=882E81FE01EA2B2B2B68FE30E702DAE993F8D36AC9144F0997AB1B1A85F8E288,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439771Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:52.062{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439770Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:52.062{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439769Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:52.028{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E9CA76718B4C258AE120153EA86C44,SHA256=FF51AC185ED2F83E79DEA47169C78AC5786F0938DD422FA768B18C4BF31F7801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291106Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:53.633{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541A63789A277B0A95311B25EE343917,SHA256=16AF0F0A0551B2FFCC96754C5F840C39B978C5DDBDB3E39222BE793109A2844C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439775Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:53.063{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439774Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:53.063{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439773Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:53.033{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29431DCE300B5FD6CFC3CF5541E68CED,SHA256=354356555357372DFB6E3BE63AC7510CD1F087BFB416CB18FFE7B0116AA72675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291107Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:54.650{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3802813DA9D658AD42A45285CE6DD6B,SHA256=5F626F58DF0BBFFC73412053C5879897E424210D87C2F1C988D3A47BA1ACD361,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439780Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:51.527{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62372-false10.0.1.12-8000- 23542300x8000000000000000439779Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:54.097{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48A20731EB5150161DA262255FEC49A4,SHA256=E2205BF9836CE7D830DE3F983A5DEEC4A83817064E32C4C3106B080FE97AB19B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439778Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:54.064{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439777Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:54.064{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439776Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:54.059{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E123B6CFE5FC53D95F9FE096C3758EC7,SHA256=63729DAF86F4640B04D540981688C45B7867FD31A390E36F74BDF6B437F5D9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291111Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:55.653{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F28B263FA71B4929A9C6E845C36811,SHA256=38B04A22EBF663C18DF8DB80458FF60C7C9ABB9DD38EFA43ADDD71B93661A318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439783Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:55.293{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107A09DB2EEE6F484587FBB959D90FDD,SHA256=3B78F1102941CBBDCD705044A694EE573EC44B40D48787878CC12389A098DCA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291110Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:53.361{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50593-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291109Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:55.119{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED82152D2DC41C0A32430C71E758F42E,SHA256=650E4BC48DDBBBA1B8504F098E31CD401DF495932F5D628C49639BC9AD1EF93D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291108Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:55.118{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84F6662CA2CC937B9D4F1C2D1B9A5D98,SHA256=DBD93692C90A55BD5930869703D64D568730F601DB48DF6C3A7649D990718680,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439782Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:55.065{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439781Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:55.065{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439817Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.696{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83970AB85303F34FA709C00320D4576,SHA256=089166BF73033A34AE5FB432F0D09BFFAD00043207CFB8C1D4457012127F7EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291112Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:56.655{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1DCC37E117ADF0F6D3D198BA0177AD2,SHA256=AF04A3231EFEC5EAFF41F36348EC604C6F3A7EEB8913E8221A080ADD67DC15A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439816Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439815Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439814Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439813Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439812Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439811Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439810Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439809Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439808Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439807Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439806Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439805Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439804Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439803Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439802Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439801Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439800Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439799Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439798Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439797Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439796Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439795Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439794Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439793Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439792Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439791Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439790Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439789Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439788Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439787Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439786Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.225{42DC5269-CE99-6086-0D00-00000000BA01}900920C:\Windows\system32\svchost.exe{42DC5269-D4D0-6086-FD04-00000000BA01}1144C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439785Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.066{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439784Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.066{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439820Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:57.913{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD5CD5F7C65ECFED67BD6755ECAA3D3,SHA256=47949A56C580442654D5F01B8F06ABCEE02FE26BDBB1F0B051678CC5827C0EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291113Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:57.704{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F154587EAA29E39FD7429BF06C192212,SHA256=15D5C5CFB192C97D0BD8A23D404457C64CF695B9B69396C96A8964617B82DFAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439819Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:57.067{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439818Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:57.067{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291114Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:58.706{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD9D08AD06980EFC2595EEBF0CCA402,SHA256=A7C16094586A8B572B2404C447DDA86996AD337CA7176A46D657355B391F884B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439822Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:58.068{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439821Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:58.068{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291170Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291169Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291168Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291167Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291166Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291165Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291164Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291163Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.917{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291162Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.901{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=1C82A0FCB1A71CF979139F4EA4782CDA,SHA256=678BBCB65B3773ED1DF2350A86067B6A8E93D749730509C5748088FB3AF85561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291161Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.901{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=4229EE011D82D02008C80898F88BB589,SHA256=71E39823CAF19BE44C66DA1056A3DB3B18FE5DB46594A6EBBD41F6267503FAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291160Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.901{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291159Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.901{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291158Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.901{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=9C76EBB06B6B73B6F68E449B5B45A38F,SHA256=2486CEDF0A580D9C3D93753DB1A79E12C15D5A6AE1A3FB6D8B77DE1618809D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291157Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.901{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=568BEE3B04C54991C316D831FCDF5AF6,SHA256=49758CD3418D25E9D3009DF58019AF86447C0DD16FFCDFD2AC241C7339CB9E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291156Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.901{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=2236D49D2E2961540E4B6BA73AF2ADE3,SHA256=C8F1F40F933C1957190E466F8DFD00021A8F20A3721617729776824F8D44DBFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291155Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.848{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=DE09FAB41B1A15A340B1DD1128CEE66C,SHA256=7A98DE1FAB89C08ADF0C3486A12FD0C20430BCB086F9B931ABC524F993FDE4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291154Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.848{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=39FE20DF3EC794C71F9DBC1AD7807D49,SHA256=A6084E298A4051DD7A5F596F48844A042F06DF4B081DE08086024B627A4F4595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291153Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.848{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=57C68C5F5A566D85A117A36860948C39,SHA256=B4615BC3ED907CD1DD6EAB2B48E33402E5B351A4716585BAB890F961274ED098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291152Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.848{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291151Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.848{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=632D8A40F0EE7313A3593BDCA49C7720,SHA256=884F6F7915C9AC764CC3FAAED16DE3448050F5A50B117F110A22A6DDC510DE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291150Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.848{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=F7DFF9ADC0FA2A62164B6022DAFDD74F,SHA256=72AAAA96E9D360B51DD89823258E8EE0C9539996B88A64C208C3BCEEDF57DC95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291149Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.832{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=B0631079E861CF28491511891AE2FD8D,SHA256=3BDE649E9EC90FA04F22F84883D687AF6D7C9E8D38309CF8988F1BB7D7C01DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291148Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.832{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291147Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.832{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291146Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.832{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291145Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.832{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291144Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291143Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291142Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291141Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291140Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291139Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291138Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291137Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291136Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291135Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291134Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=5D2B92240C8C7B21B696B5F4332ECC3D,SHA256=20F25748FF8ED62B5F8364C5B9141ECAB60BBFD35352A4613A75333D35F3D293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291133Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=438CA2D8E476411D622FA556E3F6DFC8,SHA256=06CEBA967D57F01F6EC3E8A5677813CA650F21CD69BE83F8238749486A4D9A3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291132Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291131Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291130Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=E5F58C529331DE1A7E3A96699C0AE92E,SHA256=698FD8CCC3F1B3A6D8CE8B2A580C277CAA34FAB0590FA0574AEF0025C0501FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291129Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=F744ED601A4BEF57BC0FB538C0D51EEE,SHA256=8B3FB99021D4F6BD267897D15D3EBA7A3F5BB87125C8DB10F0FE362BB0CF140A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291128Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291127Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291126Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=BF207C6726A4D58C22C96E138046BD45,SHA256=B2C1380591B984CD3406C519DE0A2C2B8B040BFF216F68E44563B670F324C8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291125Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.817{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=A165346B708E2F7C27647CF04ECD827C,SHA256=14B5D79CA80785F1B4C6993A2A65C123CDF324CA20E1434D6DC3CDE31970A89E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291124Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.801{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=B0631079E861CF28491511891AE2FD8D,SHA256=3BDE649E9EC90FA04F22F84883D687AF6D7C9E8D38309CF8988F1BB7D7C01DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291123Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.801{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291122Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.748{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED82152D2DC41C0A32430C71E758F42E,SHA256=650E4BC48DDBBBA1B8504F098E31CD401DF495932F5D628C49639BC9AD1EF93D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291121Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.732{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=568BEE3B04C54991C316D831FCDF5AF6,SHA256=49758CD3418D25E9D3009DF58019AF86447C0DD16FFCDFD2AC241C7339CB9E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291120Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.732{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675A37054347DCCF56D00AA11C7FD5E3,SHA256=8794ACD34AB6BA9805A49DC83007F8F407D30CBA55A08CC2ACE2978DD738DA93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439828Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:56.651{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62373-false10.0.1.12-8000- 23542300x8000000000000000439827Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:59.222{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35E77510F16CFE6E51E078B1AF1BE24F,SHA256=6F85286D891BBC083B65E3BB317AE0E0B96E4BD39988FBACFE1D29312BA80C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439826Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:59.222{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DDE4EB006298756689DF308E9C37481,SHA256=4197B01A7DDF5DBF9AE7412B679831EFDDD7C0C091FA5AFE2649D9F0A37F5B4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439825Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:59.069{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439824Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:59.069{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439823Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:59.041{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057A3C65DFB3189747BAFD154BC0AC2B,SHA256=94D04AD71E63BC400D06150DE283B94BDB751D02023C83DA6347429036CBDFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291119Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.717{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291118Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.717{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=57C68C5F5A566D85A117A36860948C39,SHA256=B4615BC3ED907CD1DD6EAB2B48E33402E5B351A4716585BAB890F961274ED098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291117Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.717{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291116Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.701{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=DE09FAB41B1A15A340B1DD1128CEE66C,SHA256=7A98DE1FAB89C08ADF0C3486A12FD0C20430BCB086F9B931ABC524F993FDE4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291115Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.665{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\zh9k90mg.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439833Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:57.139{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal58407- 354300x8000000000000000439832Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:21:57.137{42DC5269-CEA9-6086-2900-00000000BA01}2824C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-932.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50700- 10341000x8000000000000000439831Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:00.070{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439830Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:00.070{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439829Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:00.064{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687D241235CCC0376212891031AABFC8,SHA256=90A1D8DD2B00655AB4D8FF8426C8C554FBDEC21E3F73656797F8BA8D7CD4B22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291172Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:00.434{BEA10069-276A-6087-1610-00000000BB01}2640WIN-HOST-96\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zh9k90mg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291171Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:57.985{BEA10069-276A-6087-1610-00000000BB01}2640C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50594-false104.16.249.249-443https 354300x8000000000000000291175Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:58.019{BEA10069-276A-6087-1610-00000000BB01}2640C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50595-false142.251.33.106sea30s10-in-f10.1e100.net443https 23542300x8000000000000000291174Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:01.235{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAF9D2FFA1AEC6BECE340B2BE189959,SHA256=13E3F006FADF017DF435B40093C0F974CA0D9CB0C0C1CF9D2086DF5CD5169EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291173Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:01.235{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F1E3C00442D853ADDFC0565E6B5A83D,SHA256=7928076AE28E62C016DB95B5FD63C6C582A478EF900D75A06BAEB0944E9A41DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439836Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:01.296{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCC42CB04EAEEFB36604BFBBED9C8C4,SHA256=4530F69580E81632035068F15F41F7D09F94F75372226B229ED16319B5DAF757,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439835Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:01.071{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439834Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:01.071{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439839Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:02.308{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E2554002577229EDAE755BA3AF14A0,SHA256=621699E14CA2A9A340E139597C064A92CCB751378D91B585FA15403B544CE104,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291177Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:21:59.345{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50596-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291176Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:02.338{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA27321FAA3184719C5D59B3CEAF266D,SHA256=31FF541756F6BFEC9F8F806E70A319B31369AFCB6D4F301C6FA0691501DD13E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439838Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:02.072{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439837Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:02.072{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439842Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:03.313{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6584045383450E76272215754A6FF13,SHA256=5BC3C1E9708FE092ADDC78E8A8DEDAE1521277D7C1446047093ABF4DB0218F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291178Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:03.340{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8868C84262604C4C292DA8ADF005DD,SHA256=906130821684917ABBBE95EEFF42389ABF54993C8775E98DC5780D8983ABC6D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439841Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:03.073{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439840Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:03.073{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291179Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:04.358{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB33E196C51FE0E046AF387D3D32233B,SHA256=9420DFF581A14C31AD30701E0BF283D07A85091BDF649ED740444E82E023C8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439845Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:04.546{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2BCA1F7AF0741F3D61807BDE36D6A4,SHA256=05D00B951E7B754D8CC7C92E54817E8DA36290FC1EA089C7926FAE52CC7D4E4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439844Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:04.074{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439843Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:04.074{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439850Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:05.580{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF35CE2441F7EFE7097E7EF5B7C5FF2F,SHA256=65A46E4BCC579C696AD03CECC2A986AE0C1AC71E280EBB680FECF138721D9785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291180Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:05.359{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F6F735F8D2B4D3C280489A3A93D3F8,SHA256=7C4065E0EA7B6E007ED3EA0697ACB1D4D017023C62BA3616AA1636939BFF332E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439849Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:05.307{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=203787C0228C66CFE8D66054F3363D7A,SHA256=621FF2471E9EB3550C3B61F2E3B1BDADAD4DE19C83A0014FE7B69C7821C8CB45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439848Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:05.306{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35E77510F16CFE6E51E078B1AF1BE24F,SHA256=6F85286D891BBC083B65E3BB317AE0E0B96E4BD39988FBACFE1D29312BA80C3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439847Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:05.075{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439846Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:05.075{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439854Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:06.594{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026C3513FDF0C379882A9D0E3D3246B8,SHA256=1D1CD6A29010DA64301DF518CE55DDA8639DFB73847150EECFF6CE7CA04918F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291183Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:04.355{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50597-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291182Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:06.362{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F43100CAB3E55D41FD5B9528EEC757C,SHA256=C47E6D91A8A30FCFC15066D2B0B6BFAD4A744F1C45F8535539CDEBA56B0DA774,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439853Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:02.546{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62374-false10.0.1.12-8000- 10341000x8000000000000000439852Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:06.076{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439851Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:06.076{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291181Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:06.077{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81B365A5119D95CFD8CC07457F677162,SHA256=B322F7A3D7EFDF588761AB54EC96E2C76231662C9F302FEF50FAC16A5A359775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439857Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:07.822{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB88008127485C1CB985E212A3CA503,SHA256=569A208DDC0C7DC89F9D7070B1C1435EA7C2526DF1BF63D9318635967D4D35E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291188Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:07.896{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1600-00000000BB01}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291187Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:07.896{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1600-00000000BB01}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291186Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:07.896{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C2-6086-1600-00000000BB01}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291185Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:07.364{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6025FD3FD53C7012E6E703A7BAB49D85,SHA256=38C91FB51C4E3474CE3AA04EF04F9CDFD4DA893CF27FFE3602441390D24FAA38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439856Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:07.077{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439855Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:07.077{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291184Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:07.095{BEA10069-D13E-6086-9900-00000000BB01}408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=1385DDF0A626EB1FF1FAEF0A6E1E1E19,SHA256=D3A04D6A86810FFAE54532D83A4C2D8246C33C9E5E1AB8193B89366C377D56F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439860Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:08.831{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C19C3E98D58AF481E94A12C3B2C400,SHA256=47F4DDEC4FF13F53BE050DC8B14B26D03F7F0BDAE4E20D116238B598C8A75979,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291191Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:06.376{BEA10069-D13E-6086-9900-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50598-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000291190Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:08.366{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0A900E94019117709E0ADCB906F692,SHA256=AB540A59216DDF67670907B7E588C1348F24386185D5190ED17D32FCB3425EF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439859Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:08.078{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439858Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:08.078{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291189Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:08.081{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2255C0EF921791E27C98705878AA59A2,SHA256=DC53B938670694DF1E9659CF9D138D10A5E529C2051B760D68AE8FD0DCFE1766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439863Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.854{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD0E109CCDAE00884AB14E453F899B5,SHA256=AFE71EC3A4A1962049E1B08E3172DA114D7F3CB121B6DDE44430C6EAAD56B253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291192Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:09.384{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFC1336220BADC02593042F0E96B519,SHA256=91EC18D108CBBD03A8112C599211E75C87BB42C45B000ADEFB1C9AF2F48FFB37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439862Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.079{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439861Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.079{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439867Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:10.856{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8321E5FD03541A08B2122041E539C03,SHA256=5B6DA085AB3EF34F05C34D72339BF134BF0DA5B03528B2732D08F4F9CBEA00E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291193Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:10.419{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C559D650F9DBCBE1C9273E428CDB194,SHA256=444AF122A818CB391F4F9E031DE95B42AE8D8A0563CEBCEBE6C23EBC864255A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439866Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:10.283{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=203787C0228C66CFE8D66054F3363D7A,SHA256=621FF2471E9EB3550C3B61F2E3B1BDADAD4DE19C83A0014FE7B69C7821C8CB45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439865Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:10.080{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439864Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:10.080{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439875Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:11.893{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9B89B368F2D45570902AE8C9514E0F,SHA256=12D85A231B1AE02D2BD2EDB94D4DB342A5F008E56ED52428194DDFE562C25658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291194Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:11.423{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD2B131833858359780AC9A249B839A,SHA256=41F80E9ACA3D2572316362827BF5B4AC1C0F4C87A312D150614C009586BC8E2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439874Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:07.682{42DC5269-15AB-6087-FD0C-00000000BA01}5180C:\Users\Administrator\Desktop\beacon2.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-932.attackrange.local62376-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x8000000000000000439873Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:07.662{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62375-false10.0.1.12-8000- 13241300x8000000000000000439872Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:11.523{42DC5269-CEA9-6086-2700-00000000BA01}2744C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x8000000000000000439871Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:11.521{42DC5269-CEA9-6086-2700-00000000BA01}2744C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\27BFFEDA-C991-4635-B8B0-B42365118228\Config SourceDWORD (0x00000001) 13241300x8000000000000000439870Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:11.521{42DC5269-CEA9-6086-2700-00000000BA01}2744C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\27BFFEDA-C991-4635-B8B0-B42365118228\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_27BFFEDA-C991-4635-B8B0-B42365118228.XML 10341000x8000000000000000439869Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:11.080{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439868Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:11.080{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439879Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:12.901{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9F3ABEC4AD7EEBC15F4CAA24BB3010,SHA256=2A863EED86E13CF415A8D6B3440731334AE5A29BB9E363BB86EEE718E7EDD89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291196Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:12.459{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866393B2342D3DA0870E433C14980232,SHA256=9B4D8E3114E41B0410510555A168D7CC7A3448D969FCFF869E75117040FCF6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439878Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:12.545{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=736C3FB4E65764E82C91DF47A909250B,SHA256=25411C2D4A560617DA7224C19B76C65E2EE4963F989E6134BCE223EDF7D08664,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439877Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:12.081{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439876Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:12.081{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291195Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:12.089{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC16FE3C593D11D76DCD83F511DE9D09,SHA256=128746EB7D82833E3DCE910A71246CB394B21F0F41BD9A190A1881642CAB4894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291198Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:13.493{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6722E0E8ABEC44E879BEB162776479B2,SHA256=A453FFDED9EF3789CE8BD89676796DB262EB3EF4BA7EA7F525295A27C3B97A31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439887Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.985{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62379-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local389ldap 354300x8000000000000000439886Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.985{42DC5269-CEA9-6086-2700-00000000BA01}2744C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62379-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local389ldap 354300x8000000000000000439885Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.980{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62378-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local389ldap 354300x8000000000000000439884Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.980{42DC5269-CEA9-6086-2700-00000000BA01}2744C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62378-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local389ldap 354300x8000000000000000439883Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.968{42DC5269-CE99-6086-0D00-00000000BA01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62377-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local135epmap 354300x8000000000000000439882Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:09.968{42DC5269-CEA9-6086-2700-00000000BA01}2744C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local62377-truefe80:0:0:0:4174:ccf5:6435:e217win-dc-932.attackrange.local135epmap 10341000x8000000000000000439881Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:13.082{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439880Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:13.082{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000291197Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:10.368{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50599-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291200Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:14.865{BEA10069-D0C2-6086-1300-00000000BB01}344NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=772EB2A39220957909FB900A73D99CA0,SHA256=CDA012ABBA2F63506751852AD1B0CD25C5BB18FDE27227358BEC27A0C56EEB6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291199Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:14.495{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216BD6F392BF41ED8AC925420D20A35B,SHA256=D9416267604CF8C93950EA66460EE90896F31C502D4FC3D6FB4AA35541D4ACC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439890Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:14.083{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439889Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:14.083{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439888Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:14.064{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA49B9C953B087481FA77727D51AD200,SHA256=33FBC76E43F84A2F002B9FFD523EADE4ACAFE5E31D81B3983A2E2D4748AF0C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291201Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:15.497{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F3DB80421951822BCBCAFC20EAFA90,SHA256=B2FCB67B81205764169F2DEDFA5A02E371EEFF42F2AB6519826F28602E4C6EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439893Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:15.118{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2A11A88958D2C33BB2FA880111D843,SHA256=4223ABDA619F57B35364F6636DEEDB4047DD42A2323B073DC95E06B12BA5C711,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439892Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:15.084{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439891Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:15.084{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000439898Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:13.543{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62380-false10.0.1.12-8000- 23542300x8000000000000000439897Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:16.124{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FA1B51E0A31CEBFDAB2AF5331D339D,SHA256=726231BE63EACDC841A9C2660A5D2CA650A0AC22EBA34EC59EC8A556CC613038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291202Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:16.534{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BC9FB2E5A8C00DB40F3333281D56C9,SHA256=DF40F220AD992E22FB6EBFEAA93CF042781E4AF4CD3C8DDF1E6A2C05EEE5CABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439896Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:16.099{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DB235E4ECB2762AF5CD751992059EA4,SHA256=55213C2A6D5BF12D718027B2760BBE6BB0FF7FD82986A5211B671DCF12FD2845,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439895Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:16.085{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439894Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:16.085{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439901Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:17.339{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62B8D0235C413907FB000F85C16D7D8,SHA256=0B2BF4A697A0BF7F6FF28651712EAEC0084531F46CED36660C657480FAC8E0FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291205Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:17.555{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80721E04C3AE33A2B22CC25817EA2CCE,SHA256=A059AC130865FD1F595767DA2EB2E08E1C1DAA1F1CA85910CCA6CA7EE37F337E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439900Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:17.086{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439899Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:17.086{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291204Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:17.101{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAEEC95CBC2C656E5441FCFDA23C1BFB,SHA256=9705662FD5E23948E212F66D0AE0C4D56D5FA672CDF9B30DF8ECF46969676DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291203Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:17.101{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=653C61E8A2B11A410EBCA2E42BE07092,SHA256=C068BF049EB926D5A44A277D1280F104729407FA40A328F753520669FE563A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291207Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:18.557{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C041D41DB295EA53A8D2F5A6A084CD8B,SHA256=EB8D1ABF5CF2671747DD3EC39257A17E365E3C919FE807F57308E20DBAB3CC3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439904Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:18.342{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FB58934AF5A967C805CA832AB31D76,SHA256=7BAD45ED83C3DDBDF2FDFC3660F5CBE046309D4F1059B69DEF80FDC28B46BEE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439903Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:18.087{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439902Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:18.087{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000291206Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:15.380{BEA10069-D145-6086-C700-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-96.attackrange.local50600-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000291208Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:19.560{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7106575C3AC45511A82A9A658C8EBC49,SHA256=AC6BAE967E69A4C5FD3C0DF7BB5BD4BD63B763F5E0A6C9477B429E90FF0A68C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439907Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:19.349{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87003C277A2AAA4FB78B7855DA624AA1,SHA256=BD4CDEBC3849B2F9578B9367E186E48950AD23DE5A09C990DC7DEFE2826A4FF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439906Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:19.088{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439905Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:19.088{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000291210Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:20.577{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471981FFAB6F33F786A998E157919A12,SHA256=F42A88B2DBCC7DE6176C3A4F0BC3B616AE47EE6CF37FE6048DD5226D986B1C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439910Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:20.355{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519B53529F5AAADB985723DA5F8F2F36,SHA256=7C5626D9AD278922638E17042C62163F04AB00E998D14C9F6AF91D0C044138B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291209Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:20.442{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAEEC95CBC2C656E5441FCFDA23C1BFB,SHA256=9705662FD5E23948E212F66D0AE0C4D56D5FA672CDF9B30DF8ECF46969676DE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439909Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:20.089{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439908Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:20.089{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000439927Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:21.945{42DC5269-CF3C-6086-AA00-00000000BA01}4168NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=1385DDF0A626EB1FF1FAEF0A6E1E1E19,SHA256=D3A04D6A86810FFAE54532D83A4C2D8246C33C9E5E1AB8193B89366C377D56F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000439926Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:18.667{42DC5269-CF43-6086-D800-00000000BA01}4100C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-932.attackrange.local62381-false10.0.1.12-8000- 23542300x8000000000000000439925Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:21.510{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33ACB37053BBD99DE1D48D5A51B12DA,SHA256=768F7D3260CB74C6E80F385CD4F478AC6AABBB0AA2FBAEA3409AEF84767742B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291212Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:21.580{BEA10069-D14B-6086-D000-00000000BB01}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8315C7FDDA6D8B5E54CE829C18627201,SHA256=F5A712F3C7FB18F52B9F6F031FC821898721C5174D78961B066F635B5C5DE69B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291211Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:18.734{BEA10069-187E-6087-4F0E-00000000BB01}3388C:\Windows\SysWOW64\rundll32.exeWIN-HOST-96\Administratortcptruefalse10.0.1.15win-host-96.attackrange.local50601-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000439924Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:21.429{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DCE18404126727D0D7A1B6B434C1D15,SHA256=3CD671CE961C5522B15E171C85C65AC4F3CB259E5187CD7FED1F9240B27DF601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000439923Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:21.428{42DC5269-CF49-6086-E100-00000000BA01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2086574637F2D2AE43A2D4654184FF43,SHA256=8DB6063AB6D4FB935521A5853CD21B488358BB8E0B577972E45D4DEF8B73ED51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000439922Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:21.090{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DA-6086-0B05-00000000BA01}4936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439921Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-2021-04-27 12:22:21.090{42DC5269-CE98-6086-0C00-00000000BA01}840968C:\Windows\system32\svchost.exe{42DC5269-D4DB-6086-0C05-00000000BA01}4248C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000439920Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000439919Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x04b0e68a) 13241300x8000000000000000439918Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d73b57-0x961642bd) 13241300x8000000000000000439917Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d73b5f-0xf7daaabd) 13241300x8000000000000000439916Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d73b68-0x599f12bd) 13241300x8000000000000000439915Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000439914Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x04b0e68a) 13241300x8000000000000000439913Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d73b57-0x961642bd) 13241300x8000000000000000439912Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d73b5f-0xf7daaabd) 13241300x8000000000000000439911Microsoft-Windows-Sysmon/Operationalwin-dc-932.attackrange.local-SetValue2021-04-27 12:22:21.046{42DC5269-CE96-6086-0B00-00000000BA01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d73b68-0x599f12bd) 10341000x8000000000000000291228Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.651{BEA10069-D13E-6086-9D00-00000000BB01}17281968C:\Windows\system32\conhost.exe{BEA10069-01FE-6088-EE29-00000000BB01}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291227Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.651{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291226Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.651{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291225Microsoft-Windows-Sysmon/Operationalwin-host-96.attackrange.local-2021-04-27 12:22:22.651{BEA10069-D0C2-6086-0C00-00000000BB01}7286592C:\Windows\system32\svchost.exe{BEA10069-D0C3-6086-1E00-00000000BB01}1984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4