354300x80000000000000003349495Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:14:54.159{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50088-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349494Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:06.395{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9640F78E10037B29E5EAA8B92C1D6651,SHA256=A79C8C6002CBD05C73D28E7431D68701DD450D2C0D591B49308F2BD06136E290,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:06.647{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.js2021-09-14 16:15:06.647 23542300x800000000000000011626547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:06.647{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000011626546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:06.647{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.js2021-09-14 16:15:06.647 11241100x800000000000000011626545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:06.146{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:06.146{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FE08141732B5352C3FAE8EECB9A3D9,SHA256=7C340F969AC968862514A13853FC500EC10A4ADF9BA52F613ABCFDB44DF50572falsetrue 23542300x80000000000000003349493Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:06.079{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A27F48E87D287AB70A645072854E37CB,SHA256=B82F220902F51842D2F84B4EC8ACF57FC903D91285C392420660A81DBF0BE3AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349496Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:07.398{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959920B4CA7063DD5A7541F0D549D979,SHA256=F38F3397206F126D1AC688387DBBD488074B6B1BDB31843E8024D5E5C1080376,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:07.147{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:07.147{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDF126AA87B4E31FC3F8AB36F43FD54,SHA256=6C45B5B5649B97562D0099805B54BF425D0E0D3F9E23CA4C1274D56252A876B1falsetrue 11241100x800000000000000011626550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:07.048{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011626549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:07.048{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F4851808642E7F2F54EF31C4F930B1C,SHA256=40D0218929C08C8C8BE3593158317D0311099EA29128FF5702C15B048D00FE73falsetrue 23542300x80000000000000003349498Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:08.400{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A85262F0BCD8E33AD6230D8A500274,SHA256=EBB10406B58E22FB8AFC91652118F34789BF166E1B99602A1081D7E39D94479F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:08.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011626557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:08.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D58480EFDBD39448EB67B40CE8513818,SHA256=4D037929503523764E20795F9548A4E296BB6DEFA4FA6ECA5DA0EA057CA001ABfalsetrue 11241100x800000000000000011626556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:08.171{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:08.171{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76EEE341C4470A4DCD12891D9F7CD405,SHA256=772D420B5D021984441372F2B8DE4F983105C6C36EEBD219F8321BD6E2AC0FFAfalsetrue 23542300x80000000000000003349497Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:08.347{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000011626554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:15:08.150{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a983-0xaf88c740) 354300x800000000000000011626553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:14:39.378{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49546-false10.0.1.12-8000- 23542300x80000000000000003349500Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:09.403{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9CB060D5047BAD0280E5BAF791007F,SHA256=A9CE116626B5334703664452A833134F1BEB6509DE72606C5ACF8E6351B165E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:09.891{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011626563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:09.891{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B964FFAA2D00F5F15781E46A82912902,SHA256=A86F5C47981BA4B93F8636DBE4A09DE38C4EA87CD8BC287A53C61D1BCC720927falsetrue 11241100x800000000000000011626562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:09.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011626561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:09.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CA708AF510661876F275A9D337486ECC,SHA256=332CE44907C1BD9EA322770106006162615BD2EFEBFA3855E46040B4A38B06A7falsetrue 11241100x800000000000000011626560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:09.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:09.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242F927A4946B8B599F8A811715767A9,SHA256=154CE0F0EE5534CCEB20BD31BF7B6C4328A4B15900421F5C39945B3419C36044falsetrue 23542300x80000000000000003349499Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:09.350{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48C9389EF1B489ADB8F080FF763A8C4D,SHA256=85B094A8227908CC60F1FA99477C6B22C45C39B053BBD6C292D3A9109AAE99C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:10.292{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011626567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:10.292{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ED35F6A9B24FA5E9DF07D50379CA401C,SHA256=E785E10FD3A35A184429C58CB8DD3F92451DDC18AAB3019D625E928BCC47F45Ffalsetrue 11241100x800000000000000011626566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:10.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:10.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F0A23C456C8FD0B3B0D8057F1CDA4A,SHA256=D18D620C0DE80259E3534B36013D11788C9E8E1FC65C908CFBD2FF1ACB74A3CCfalsetrue 354300x80000000000000003349502Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:14:57.431{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50089-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000003349501Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:10.406{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21467F61E7D107A5E61B3948501298D4,SHA256=8AEB02CDEC0DAD1D41830CE3937599F446737347FEB94805672AF087CE89B8A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000003349505Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:14:59.304{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50090-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349504Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:11.409{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4AA4238FA917BDFDBB857863393DECA,SHA256=1247FB29195196E9399611D0470CF0FC145051C37813D66F10823006BFDDBB66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:11.257{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:11.257{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D181BCD7B7DFEAD40BEA4175E4E50BBB,SHA256=4FFA5B8B873B2B7FFB98C9A227B7219FFA06A771D30AF4E8AD4879078E24A017falsetrue 23542300x80000000000000003349503Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:11.239{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EE466AA561A0E70A7F2ED68EED92637,SHA256=D96D349790B9B628EB7F706D0EEE8FD14975973783D4BA2A63934C8E0B1F2133,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349506Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:12.412{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0428D5A5CACB4452E71DE96BC2342574,SHA256=7FE065DBC8FC119D4E5EA063C623993348645C5A4B263F1E406E9C192FD90AC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:12.259{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:12.259{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471A47CCEF00ADFD2C6F31287A097996,SHA256=AD3C20FD500D14624157F4D5DA2866B251838E2BD0460D724682CCB14BC686B0falsetrue 11241100x800000000000000011626572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:12.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011626571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:12.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAB09C73AF00F62526716D6A2A52B347,SHA256=2061AF6D71056DDA1F29497644DD4EEC5E0C8EF44F68660073E267619902B2C5falsetrue 23542300x80000000000000003349507Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:13.415{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8A8DD170E58ED86109E8F40D42C759,SHA256=38621F231299ED02885F2FCA88F6C6B0630BB528FBD53514007941910B70CB54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:13.262{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:13.262{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=393AD5B9A016BC9A6D78909BE83F248E,SHA256=3108CDE7AC8789CB2420219C32FCC9FA018F0E93452CFF11D7010D5A8E83D8A9falsetrue 354300x800000000000000011626575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:14:44.489{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49547-false10.0.1.12-8000- 23542300x80000000000000003349508Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:14.481{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D3426B132235ECB8AC12739462CE38,SHA256=ECE9A441337A7A8CF597EC5E7083EB162A93C0BC5175613565B8C6EE68148E96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:14.487{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011626580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:14.487{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=36D4598649325A41257A26B70C693221,SHA256=F92D13F92EA08089F0CFA39185F67253684D2095DCF813176E7EAE0F4CAAF309falsetrue 11241100x800000000000000011626579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:14.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:14.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB66E93DC5A008CE3F56A2B44FEED91,SHA256=CC736DB8C5AED6E5FECF9A48FBC5837D61690D2D65A8E91D11978569B8F0A335falsetrue 23542300x80000000000000003349509Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:15.484{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA882F873B0529DA6D5434314BF1BB3,SHA256=FFA77035C4188A8F21D7855A3F4AA134DC6D0F5D78E226F7601C211541C3D2D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:15.335{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011626586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:15.335{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D7F755E37CAAF7BC78E549162DF3E2ED,SHA256=B253CFABB6283BEAA81A047AF0FFC662875653013F9BD49D7F01680C0E1907E5falsetrue 11241100x800000000000000011626585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:15.266{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:15.266{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADE4BFB22797A1594FF65BE99ADD4E7,SHA256=8794791F96513CC9194C42E40DB11D1FF6F61E8B9954F278187DC5A60455BE92falsetrue 11241100x800000000000000011626583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:15.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011626582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:15.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5F4636C53C8A5A5BF22866C3B1CA6169,SHA256=D0596656E3AA019B24F9D3806D9CCD9E51F5F6035256C8290B485AD243724C91falsetrue 23542300x80000000000000003349510Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:16.488{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3370808010509E8F48343D8B5E46F2B4,SHA256=364A7EB5C41C6FEB7202E8720CF980C7E5F0D3B5C2D431E5B2BC075C05DE380C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:16.268{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:16.268{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A3BA4758B56541D2EACB8D6DDCAC0B,SHA256=5A353F929CF1EC8CC0A1E2CB5D35D9C90265D71AA1302E22EEB59DB1751EF869falsetrue 354300x80000000000000003349514Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:05.168{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50091-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349513Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:17.491{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED44F0CEA81BB3559484094936E7C4B,SHA256=77E3403BB1891112F6D17DF6A044DE7F433E761BBE9E8CCB8728DAAFD691907F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:17.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:17.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F78D04AD01BD91F93C01AA3949BC86C,SHA256=741A1FAB58E654DACE3AA4627E7A7488E619A9A16734A478FA83DD756E10A51Dfalsetrue 23542300x80000000000000003349512Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:17.090{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF5E4C517969703616031103D01DDE0,SHA256=58A58A9F2AE2A47B47119A940AADBFC06D3CD9E78EF0F27EDC4190B5336D7A8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349511Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:17.089{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4579096FD06780C823AABB67D4935D42,SHA256=BC0A802C44FFC8612AEFFC0C4E71214CD942393F5600FC9610B3A5170C1BD839,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:17.171{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011626592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:17.171{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=654F9BD2D111334691F3CC74DB21092E,SHA256=1BDF273652F135A92D36B7AF759C4185F5A5DB9C1194A40CFBA4EB405E37D4DCfalsetrue 11241100x800000000000000011626591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:17.171{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011626590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:17.171{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89B60277BFDBAC575445E47E6BCA1C39,SHA256=169FEBD6771BB7564B694C55095A05F5CAEFD5E6364C08C83A1D5F02E2456123falsetrue 10341000x80000000000000003349529Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.799{AEE49BD1-CA96-6140-67B8-01000000F101}29125848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349528Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.677{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CA96-6140-67B8-01000000F101}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349527Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.677{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349526Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.677{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349525Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.677{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349524Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.677{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349523Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.677{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349522Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.677{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349521Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.677{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349520Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.677{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349519Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.677{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349518Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.677{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-CA96-6140-67B8-01000000F101}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349517Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.677{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CA96-6140-67B8-01000000F101}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349516Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.662{AEE49BD1-CA96-6140-67B8-01000000F101}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349515Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:18.495{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12ED2B3C620F78B24A4FA9EB263051EB,SHA256=DB9ED98968D29C3542C72B8B31C03201C0F35D14C50A627225C8E73A83495B79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:18.273{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:18.273{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486A2BE6363A3594C18563E513A6F08A,SHA256=A5EF6F1CEBF9AE693CBD79729F84CBEE24E1726319324C47F838FB2F57E8FB0Afalsetrue 354300x800000000000000011626596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:14:49.501{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49548-false10.0.1.12-8000- 10341000x80000000000000003349558Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.948{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CA97-6140-69B8-01000000F101}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349557Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.948{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349556Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.948{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349555Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.948{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349554Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.948{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349553Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.948{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349552Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.948{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349551Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.948{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349550Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.948{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349549Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.948{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349548Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.948{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-CA97-6140-69B8-01000000F101}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349547Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.948{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CA97-6140-69B8-01000000F101}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349546Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.935{AEE49BD1-CA97-6140-69B8-01000000F101}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349545Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.933{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3A9A54B66FDBFD6E67EF9F2F85908F,SHA256=C9E8E2E20A3D750419250F5B71209CD7F2E21FCE235A3E0315715BBAF2B07F3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349544Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.933{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF5E4C517969703616031103D01DDE0,SHA256=58A58A9F2AE2A47B47119A940AADBFC06D3CD9E78EF0F27EDC4190B5336D7A8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000011626605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:19.917{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-15490MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x800000000000000011626604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:19.916{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-154902021-09-14 16:15:19.916 11241100x800000000000000011626603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:19.915{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-154912021-09-14 16:15:19.915 11241100x800000000000000011626602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:19.761{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011626601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:19.761{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=39FE90F9C36CB20F05F1BB60DB0CBB5D,SHA256=7FEA42A1AA3C17446581B6F6FCE3721F5A78C1740AD98F9875E5B47E23DDF052falsetrue 11241100x800000000000000011626600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:19.276{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:19.276{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248E9483FE86104DD51999462BFB9B68,SHA256=28DE6FD952E229688C0B5656CE0E54B4B88B0A027E792F40820977D966290261falsetrue 10341000x80000000000000003349543Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.478{AEE49BD1-CA97-6140-68B8-01000000F101}57321912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349542Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.363{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CA97-6140-68B8-01000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349541Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.363{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349540Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.363{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349539Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.363{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349538Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.363{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349537Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.363{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349536Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.363{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349535Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.363{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349534Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.363{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349533Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.363{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349532Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.363{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-CA97-6140-68B8-01000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349531Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.363{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CA97-6140-68B8-01000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349530Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:19.348{AEE49BD1-CA97-6140-68B8-01000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349562Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:20.981{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8117AC1B2A07E356D97E1FC524CFC5C7,SHA256=48859ADE67AC5E1CD23FBE6FF379F4CB77085C56A477432895A29B50DECFEF9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349561Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:20.981{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F48986914B5F71BC5C35E6146802F81,SHA256=8EFD8E34677423ADE5F94A8A3879CAD34BE32669582D5F76DEFFAC817A49112C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000011626612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:20.918{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-15491MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x800000000000000011626611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:20.400{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011626610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:20.400{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=88ABD0D59020A860DDE56AC865429201,SHA256=E0DAFC47491348B63E7A48E0EDC34C30E5A0ACD511F740CD49F6EC582E30507Dfalsetrue 11241100x800000000000000011626609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:20.278{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:20.278{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5B5D08246DBB8BDA52CBAF37181424,SHA256=3C9159A733FCB8E7DABBE4B01BB0725702383E04AE1F39B169DD6B034D63F504falsetrue 23542300x80000000000000003349560Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:20.217{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F2AD821FCD489E55A3E0665BE052CEDD,SHA256=A3263C5330D4C8EE96F34CE9A1BFB32BC50B94AF464D3FF5FFA3B860FB258528,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000003349559Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:20.079{AEE49BD1-CA97-6140-69B8-01000000F101}45844560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000011626607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:19.999{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011626606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:19.999{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A30CE8C035D03700F2C01F30AB52450B,SHA256=3BB135FCB997752B6500482CC938DA00E8A61FA152951D4A5EEE46AE0427CC38falsetrue 23542300x80000000000000003349563Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:21.984{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58FE18BF53C49A8124BDF48D4CFB616,SHA256=6F88751BB2CAA1B376BBEE6F336719FA822C84CCAA8123FC0A6A5AC46B3F14E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011626614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:21.350{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:21.350{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08851576DD630E7F00B03C35460857D4,SHA256=9B72641EFF35F0F78AD077CB072B37B6F669EF117D8C2633F8B8574A82333FDCfalsetrue 23542300x80000000000000003349564Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:22.986{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF7926FE8EBEC7915481D47C9EA985C,SHA256=F9E4893BE7407F0D7B3172CA3E321CB6758E7C387C144A56F11DAEB76CD27DBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000011626673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.722{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000011626672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.722{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000011626671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.722{4DF467A6-CA9A-6140-A2BF-01000000F001}43047752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011626670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.707{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011626669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.707{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011626668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.602{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011626667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.601{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011626666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.601{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011626665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:22.600{4DF467A6-CA9A-6140-A2BF-01000000F001}4304\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000011626664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.600{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011626663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000011626662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011626661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011626660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011626659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011626658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011626657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011626656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011626655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011626654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011626653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011626652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011626651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011626650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011626649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011626648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011626647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011626646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011626645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011626644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011626643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011626642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011626641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011626640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011626639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011626638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011626637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011626636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011626635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011626634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011626633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011626632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000011626631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011626630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011626629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011626628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011626627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011626626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x800000000000000011626625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011626624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.585{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011626623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.570{4DF467A6-CA9A-6140-A2BF-01000000F001}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011626622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:22.569{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:22.569{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011626620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:22.569{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:22.569{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011626618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:22.569{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:22.569{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011626616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.353{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.353{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C9774DBD1531B053FE906F8A4BC0F0,SHA256=E0F71D9F505194720620DD28B88C43F6AAB7C01D7FA950205AE4594642328EC1falsetrue 734700x800000000000000011626789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.956{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011626788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.956{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011626787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.956{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011626786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:23.956{4DF467A6-CA9B-6140-A4BF-01000000F001}5764\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000011626785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.956{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011626784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000011626783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011626782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011626781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011626780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011626779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011626778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011626777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011626776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011626775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011626774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011626773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011626772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011626771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011626770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011626769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011626768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011626767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011626766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011626765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011626764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011626763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011626762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011626761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011626760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011626759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011626758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011626757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011626756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011626755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011626754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011626753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000011626752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011626751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011626750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011626749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011626748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011626747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x800000000000000011626746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011626745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.940{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011626744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.925{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011626743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:23.925{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:23.925{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011626741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:23.925{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:23.925{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011626739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:23.925{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:23.925{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011626737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.523{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.523{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BCF1197027F8EA0A74236C2E6335AC,SHA256=EB0228B44B1FE8656E82752388BE970F120F1963267A3243D0E7DCE4B3D56661falsetrue 354300x80000000000000003349566Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:11.168{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50092-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349565Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:23.155{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=923E93CF613A97BD17B7EA1F948CBD93,SHA256=54EF9FE49778C2FD83168E9F9E23841A3B7BD95D430B372B5BF02E19E7507521,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000011626735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.385{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011626734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.385{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000011626733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.385{4DF467A6-CA9B-6140-A3BF-01000000F001}49927700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011626732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.385{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011626731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.385{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000011626730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.285{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.285{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977D9BFDA8BAFC1AE9BC0A3012385404,SHA256=6BCE5A3D7A01F5A452A2321E0C82D98021285449B10C296B5F5ADCCA1AB4E91Afalsetrue 734700x800000000000000011626728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.270{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011626727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.270{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011626726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.270{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011626725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:23.270{4DF467A6-CA9B-6140-A3BF-01000000F001}4992\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011626724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.270{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011626723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011626722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011626721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011626720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011626719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011626718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011626717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011626716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011626715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011626714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011626713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011626712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011626711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011626710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011626709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011626708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011626707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011626706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011626705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011626704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011626703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011626702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011626701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011626700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011626699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011626698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011626697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011626696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011626695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011626694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011626693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011626692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011626691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011626690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011626689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011626688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011626687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000011626686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011626685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.254{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011626684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.239{4DF467A6-CA9B-6140-A3BF-01000000F001}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011626683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:23.239{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:23.239{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011626681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:23.239{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:23.239{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011626679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:23.239{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:23.239{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011626677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011626676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A01B9FA5B7E2D2AC98A544C36B7C5417,SHA256=03F53F143EFA8DD024FEACE9761223E63DE194A448525DCFEBD0386D3892EB73falsetrue 11241100x800000000000000011626675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011626674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:23.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=654F9BD2D111334691F3CC74DB21092E,SHA256=1BDF273652F135A92D36B7AF759C4185F5A5DB9C1194A40CFBA4EB405E37D4DCfalsetrue 23542300x80000000000000003349567Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:24.007{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C6DE142B4DE9073596A993AEFF4A45,SHA256=F1CC64C079DA77085A299A64E22D1331003817CEBF3821A4A3E1EA0E3F055F64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000011626856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.756{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011626855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.756{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000011626854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.756{4DF467A6-CA9C-6140-A5BF-01000000F001}48166716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011626853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.756{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011626852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.756{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011626851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.640{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011626850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.640{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011626849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.640{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011626848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:24.640{4DF467A6-CA9C-6140-A5BF-01000000F001}4816\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011626847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.640{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011626846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:24.640{4DF467A6-CA9C-6140-A5BF-01000000F001}4816\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011626845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.640{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011626844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.640{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011626843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.640{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011626842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.640{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011626841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.640{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011626840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.640{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011626839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011626838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011626837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011626836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011626835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011626834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011626833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011626832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011626831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011626830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011626829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011626828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011626827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011626826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011626825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011626824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011626823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011626822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011626821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011626820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011626819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011626818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011626817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011626816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011626815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011626814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011626813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011626812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011626811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011626810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000011626809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011626808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.625{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011626807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.618{4DF467A6-CA9C-6140-A5BF-01000000F001}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011626806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:24.609{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:24.609{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011626804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:24.609{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:24.609{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011626802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:24.609{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:24.609{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011626800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.609{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011626799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.609{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B812AF2E9C3D8F25DB71C490BADF1A21,SHA256=30AC988F0804482A59E5204F9419F568625A948879A3A55C86E6B445123CF2C7falsetrue 11241100x800000000000000011626798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7344DE929F1F049FAA4A7828FCD19D,SHA256=2029F862F532C4754D0A617B7BDAB148E03EBEC73418031A4415BECB0C02D553falsetrue 11241100x800000000000000011626796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.240{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011626795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.240{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A01B9FA5B7E2D2AC98A544C36B7C5417,SHA256=03F53F143EFA8DD024FEACE9761223E63DE194A448525DCFEBD0386D3892EB73falsetrue 354300x800000000000000011626794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:14:55.431{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49549-false10.0.1.12-8000- 534500x800000000000000011626793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.071{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000011626792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.071{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011626791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.071{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011626790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:24.071{4DF467A6-CA9B-6140-A4BF-01000000F001}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 534500x800000000000000011626982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.826{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000011626981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.826{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011626980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.810{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011626979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.810{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011626978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.708{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011626977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.708{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011626976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.707{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011626975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:25.707{4DF467A6-CA9D-6140-A7BF-01000000F001}3912\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000011626974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.707{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 11241100x800000000000000011626973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.707{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.706{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFDD6C31AD92398367C91AF9204FD62,SHA256=1BDC99AA80CC2E4BF451B903E4B55E57BA5DF2C9E34969D7545627E599B53053falsetrue 18141800x800000000000000011626971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:25.706{4DF467A6-CA9D-6140-A7BF-01000000F001}3912\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000011626970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.705{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011626969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.705{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011626968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011626967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011626966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000011626965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011626964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011626963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011626962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011626961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011626960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011626959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011626958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011626957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011626956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011626955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011626954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011626953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011626952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011626951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011626950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011626949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011626948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011626947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011626946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011626945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011626944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000011626943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011626942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011626941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000011626940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000011626939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000011626938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000011626937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011626936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011626935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000011626934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011626933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011626932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011626931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011626930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x800000000000000011626929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011626928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.689{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011626927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.674{4DF467A6-CA9D-6140-A7BF-01000000F001}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349568Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:25.011{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91967D6045E5CF7228B159CC714A8B5C,SHA256=27944B2A6C51BB9AA52899AA9BEAB47A9CA3495C668EA220E4D6C1A6BFBE863F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 18141800x800000000000000011626926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:25.673{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:25.673{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011626924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:25.673{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:25.673{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011626922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:25.673{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:25.673{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011626920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011626919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97C04DA61982867F2F185D4DC34621DF,SHA256=9DF57938C03605107C8D5770B98FD386963B65BC2AF2387522F5EC37B3B2720Dfalsetrue 11241100x800000000000000011626918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011626917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=89785C2A8EE999F1680C8C4A0AAF46F1,SHA256=C573F41C5F34FB9776008F1CC784FD586774DDCA616C70A7A766FA4F26D9CCF8falsetrue 534500x800000000000000011626916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.288{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x800000000000000011626915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.288{4DF467A6-CA9D-6140-A6BF-01000000F001}80523392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011626914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.288{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011626913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.288{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000011626912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.226{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011626911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.226{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=522D5C9D774AB10273EA76D2C034D6E1,SHA256=660188C8FEF5B6EA59E2186F0E2F53D0B4045A752956A9D03E8E5FD81A8827F6falsetrue 11241100x800000000000000011626910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.226{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011626909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.226{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E0B5A220F56B09F409C6CF879796A5,SHA256=0D3E12C08C4CD46799E05C47F11FE78BC444844737642480A4E84B3ED8C45D7Cfalsetrue 734700x800000000000000011626908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.173{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011626907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.173{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011626906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.173{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011626905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:25.173{4DF467A6-CA9D-6140-A6BF-01000000F001}8052\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000011626904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.173{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011626903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:25.173{4DF467A6-CA9D-6140-A6BF-01000000F001}8052\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000011626902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.173{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011626901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.173{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011626900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.173{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011626899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011626898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011626897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011626896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011626895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011626894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011626893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011626892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011626891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011626890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011626889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011626888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011626887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011626886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011626885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011626884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011626883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000011626882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011626881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011626880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011626879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011626878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011626877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011626876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011626875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011626874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011626873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011626872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011626871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000011626870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011626869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011626868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011626867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011626866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x800000000000000011626865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011626864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.157{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011626863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:25.142{4DF467A6-CA9D-6140-A6BF-01000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011626862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:25.141{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:25.141{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011626860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:25.141{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:25.141{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011626858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:25.141{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:25.141{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011627044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.828{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.828{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B19DD6B5031165F95711C8167A0512,SHA256=FC7378B2AB56E36150DAC18F8627B327C4E5FFA43C49A7F44B48D462C81D5754falsetrue 11241100x800000000000000011627042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54FE616786AB892DECEFCD75C07CC8F,SHA256=CA6174DE319FBBB61CD7EDD2A86BF23F0269D6CC73A0081B2B04B94BE7DBF918falsetrue 11241100x800000000000000011627040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.807{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.807{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9DB469FD0574F09422F4BD601495DE7,SHA256=B9E85264D40EB3714E66738CA338D31C111B50EFB0A56EF369566A85817F7B24falsetrue 23542300x80000000000000003349569Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:26.032{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284ECE3A515EDCE97006A10EF2C1DE34,SHA256=2B8A4497755E41291C2FCD975882420465202D66840808A27DA367DE4741042B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000011627038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.512{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000011627037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.512{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011627036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.512{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011627035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.512{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011627034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.390{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011627033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.390{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011627032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.390{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011627031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:26.390{4DF467A6-CA9E-6140-A8BF-01000000F001}5852\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000011627030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.390{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011627029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000011627028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011627027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011627026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011627025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011627024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011627023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011627022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011627021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011627020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011627019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011627018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x800000000000000011627017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011627016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011627015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011627014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011627013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011627012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011627011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011627010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011627009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011627008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011627007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011627006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011627005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011627004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011627003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011627002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011627001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000011627000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011626999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011626998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011626997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000011626996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011626995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011626994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011626993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011626992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x800000000000000011626991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011626990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.375{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011626989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:26.360{4DF467A6-CA9E-6140-A8BF-01000000F001}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011626988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:26.359{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:26.359{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011626986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:26.359{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:26.359{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011626984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:15:26.359{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011626983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:15:26.359{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011627046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:27.812{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:27.812{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B22EEF2DCB722026CCE4E5245F319D9,SHA256=D2BE60A625E2BF1C808AA5E262D3D8A36EC317A20D89C6366CDAECC787242CB7falsetrue 23542300x80000000000000003349570Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:27.036{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBB7856F9847BDA72E742D732933CA5,SHA256=4E7C5040DD7EBB347876B1595EC8A5734EEA3384028F4944E979B7F215426FBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:28.849{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:28.849{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD09F559C759C6CE31E4791A96FE729E,SHA256=3A0412249DB343B4A485BB26678C4B2AB25B5E9A63E0A1D8A4E057589532E2F7falsetrue 23542300x80000000000000003349571Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:28.085{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C52E0B6D568E6271E6A4212159FDEDA,SHA256=3FE60729A2D0EFC79D06AA87D3864236ABFF807C6B9D8BBB42BF86AFE82682C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:28.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:28.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61B675D362B965E7958B16D22B52B9A6,SHA256=09A96AFE6A739C382A94AADA16BBE328E2D0AEFE0C8286EAEDCDF87DB30067B6falsetrue 11241100x800000000000000011627055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:29.983{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:29.983{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4DA3E6784B1BAD52413479F9062AA386,SHA256=C110BFEFBD3853BE8C1D55AAD501A18BBA2F542628B812B56DBB3C7F4F93B1FEfalsetrue 11241100x800000000000000011627053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:29.983{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:29.983{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E01E500EDFB02FF7B5670BF92470554A,SHA256=6EC9B0C7E439669C8F5366C6E65CD47A0D414BF49D693E6EFE71330D7B951204falsetrue 354300x80000000000000003349575Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:17.200{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50093-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349574Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:29.224{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC0524F826019F617587F19A23081B3E,SHA256=0143C5BD645A2F400AF46343F489D7D804B839D664A420FFC12108D1706F159E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349573Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:29.224{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=865CE74AB3AFDD926F2EAB2AAFEE1485,SHA256=4A14F1F95D59EF3E6EA81FF3FE6EE2B01A121C855E762E243DABB0F584F02C6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349572Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:29.088{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860F47E3308F5EE10D487EA8130775A9,SHA256=7C4837FDC28178983715CEFCD30035D292A9071CF8A22D1367816B6113EA640C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011627051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:00.561{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49550-false10.0.1.12-8000- 11241100x800000000000000011627061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:30.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:30.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6798616F32D8C032AADD3339ADF0DB2F,SHA256=EAAB04E3C9BDADFB09784620F6A7E552ABF0429877E226A7A526B2A7553401FBfalsetrue 23542300x80000000000000003349576Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:30.126{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35C8D11B7E39604346B5A8E320F871D,SHA256=DB1BACA44B16E68DE10EB2CC425EE3C0BBA0715870A30324C2A39EF3F3307D10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:30.520{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:30.520{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8CF2CDD43C1B4AF4A699FA23C898D8EA,SHA256=AD06DBAB177D26E61C5DDFAA8FB01AA9977FF7EE9BB3EFCCCB4B145D9D5BBBDFfalsetrue 11241100x800000000000000011627057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:30.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:30.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8DCD339C8A2C5171B41B8DE6D1658BD0,SHA256=785BF8713EACA4D565CE3ED7FC579A49DE9232FE0A952FE64CCEF9DE9B6D573Bfalsetrue 11241100x800000000000000011627063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:31.989{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:31.989{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C14D0DEB6B2FB6709894BBD8D584B40,SHA256=6F1C807E5A3EB05BB3CB5380867327BD8361B6DAFEA7329DD83AE753642A9F5Afalsetrue 23542300x80000000000000003349577Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:31.195{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6554129062AE569CF6981686DEBD7B62,SHA256=942094812F57ACB47355F6FFF0C43C67AA3305A72E64391621B378B7C8A1790A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:32.992{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:32.992{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5006EACAB96BB15F1752F8787FC77D6,SHA256=422DE26E05D0CE5F9A451BDBADAA837261ADF1707A5842DF80598A225791EC93falsetrue 23542300x80000000000000003349578Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:32.233{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53D0410B722D6C03D115A258486D05C,SHA256=931F8E7C954429DE3E6ED43FB910BBD35B84292A51D7D071D985BE3DE8D956FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:33.993{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:33.993{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C119BF5288500B78C6ED7EA8718DFC42,SHA256=20EF708383BF8AF6E4D7F985AA3D478220990B4F07A9D20C2E3B4B5FBC2E4C8Ffalsetrue 23542300x80000000000000003349579Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:33.239{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3009BFF132107FE92A7507CA8FD6615B,SHA256=067B959C1099871651C9E7B3C079C3F8A2BECBC308AFDBBE31BA9F7FF197E850,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000003349593Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.721{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CAA6-6140-6AB8-01000000F101}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349592Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.721{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349591Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.721{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349590Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.721{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349589Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.721{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349588Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.721{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349587Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.721{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349586Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.721{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349585Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.721{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349584Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.721{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349583Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.721{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-CAA6-6140-6AB8-01000000F101}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349582Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.721{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CAA6-6140-6AB8-01000000F101}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349581Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.706{AEE49BD1-CAA6-6140-6AB8-01000000F101}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349580Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.304{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBEFE8B72CD338AF24B84012D749AEF,SHA256=29A67B424284F4605F24CC7156176BAC313F8FDB705BF57E72BDC8CAD8A4351C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:34.695{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:34.695{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ECBCAF0363988BEBED28FF6370EC03D9,SHA256=D138441305EFA6777197C045E95C8277B03E74BFFBAE0524A2A89D8D7334A8B0falsetrue 10341000x800000000000000011627074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:34.579{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:34.579{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:34.579{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000011627071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:34.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:34.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51FCA109DFD4080D5700B5CC4DDA8798,SHA256=A3A90344D62E39B40AF885DC8F80C684645257D2DA09F95CBB70384860B7D858falsetrue 11241100x800000000000000011627069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:34.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:34.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D05D5E0F31C28996FA20C196AD1BA370,SHA256=574B307A4C6B98E6B8F05146A4F6E5F69B032CDBC81B10C3B089085094D434A8falsetrue 23542300x80000000000000003349596Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:35.344{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF456F940C563AAE3891B5EB7F038F6A,SHA256=FFF227FB8852D518B5A6BFF21E22B59A94DEA2B472772CE9EFC7A36D728BEA33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:35.550{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:35.550{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0707B1167E3403A3AACB56EB899D20D1,SHA256=79D4415293248DAA30C4AC4DEE36D7462119CA53FB537A83C2A0150EAE7502D5falsetrue 354300x800000000000000011627081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:06.392{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49551-false10.0.1.12-8000- 11241100x800000000000000011627080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:35.133{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:35.133{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AD8792F6477F033983C404A7C43DFF7B,SHA256=561AE5E7DC5DED3E9B9EFE1E4938293F5527D28D320129B26626B00AC0785C2Cfalsetrue 11241100x800000000000000011627078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:34.996{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:34.996{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B4FA351EE5C8ECD322AAAF7FF7E2F0,SHA256=1C1B0FD21FFED22D09661974B97351BCF97A95631DA4CBE8C832B0F0344AF87Bfalsetrue 23542300x80000000000000003349595Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:35.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A1B430E73D531F5055A1227F6060E4F,SHA256=60C62F747C3F9883A075CA02883E97956985A3AA59C006DBBFD07E8D1FECA5D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349594Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:35.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC0524F826019F617587F19A23081B3E,SHA256=0143C5BD645A2F400AF46343F489D7D804B839D664A420FFC12108D1706F159E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349598Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:36.378{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3E84C5DE852DEB4FD1966C96087188,SHA256=3DCA02F2500FF5EAA5C2B693D19618F31088F3DA04169C12F4CE58897F052E66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:36.033{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:36.032{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8DB7AA19209DC2C44B5D5D974F66FD,SHA256=787F359C245C9BED03CA946BFE28AD799EDB37AF8D859E2D469BDE468CB21AE6falsetrue 354300x80000000000000003349597Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:23.120{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50094-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349599Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:37.381{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C725A7FF4DA142EDBEDA6D0A85641C,SHA256=6FF1323E5A65FB72B87C261D43644B5BBDF291C142B64B51AA0E6A53A509A793,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:37.035{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:37.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201DE8CF37E289755152D808AA5DC047,SHA256=1CDDDEB059B9982D008B8C79D40EECF07A22984F4C6447A27DCA18A9EC7B9A5Dfalsetrue 23542300x80000000000000003349600Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:38.384{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DB244BCDF9C98A8112B9DD7E0A5282,SHA256=4A46917EEDC195C1445F8DDCBB2256E44EC73565EEB9C4D6C9621D1DD290B6FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:38.037{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:38.037{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7182C917D40669A329B75A0230EFC00,SHA256=B3C992EEB63929B11ACBFB605B13D670A60C65D24D762D3824178588CD51FFAAfalsetrue 23542300x80000000000000003349601Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:39.387{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BF8BE76F43CE5E85A3A5236E8BA2D3,SHA256=0CAED37D9DF26842D253F4790E482E578E92FABD5DC94CA9641CE1F4D150D3D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:39.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:39.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DF5C4FC4C212DE40FDCAF143A9FC3BC4,SHA256=4B469204E69E00CBF33FE84625715CE75565CCEFE1478CC62A08929C55A8FAAAfalsetrue 11241100x800000000000000011627091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:39.040{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:39.040{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953F74BF16366EBAF17A98BEC72147D9,SHA256=6F81A8B105701E5F8F042BC79E55A02050348B59B5EC03A5EC240454832A7FBAfalsetrue 23542300x80000000000000003349604Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:40.390{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C3FDC7383F8D99C58DEF38603B99272,SHA256=8BF801B7F0C1630A96D4543E30214E9B17CFF9C27A428A930CB9C2743FF41ACF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:40.610{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:40.610{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F22F694737FC389C4047E904F2D628E3,SHA256=59487D1AE7804E177EB14DD8FA14F48D7C4BCAAD2B049D08D8CB539A2BD1B490falsetrue 11241100x800000000000000011627101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:40.162{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:40.162{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BA86F243F8DA6A092147B4D40CB40629,SHA256=83AA1404E7DC6D634D9E8AD283839A959ED18D2FB25779FC908D05DF40C3F4ECfalsetrue 11241100x800000000000000011627099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:40.078{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:40.078{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DCE77D62D909C56C04AF95B05E4E7BC,SHA256=F7CD3A9DE7FC39E858F63657ADD5ACB6933B8BF70E26B19DC44EFED49C75325Cfalsetrue 11241100x800000000000000011627097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:40.078{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:40.078{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51FCA109DFD4080D5700B5CC4DDA8798,SHA256=A3A90344D62E39B40AF885DC8F80C684645257D2DA09F95CBB70384860B7D858falsetrue 11241100x800000000000000011627095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:40.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:40.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9F3A686B2DEBD546426C41C62C56EC,SHA256=5AC752911433A941ED621D65B25340968E80C56B64113574F3493CAE730011D0falsetrue 23542300x80000000000000003349603Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:40.237{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F914661BB1E7DBEBB9D88C19D1D761D,SHA256=27CF7159F5790561F7CBBC03E2F4B9AD9572299D9D8CDDC93AECB176BB332772,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349602Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:40.237{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A1B430E73D531F5055A1227F6060E4F,SHA256=60C62F747C3F9883A075CA02883E97956985A3AA59C006DBBFD07E8D1FECA5D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000003349609Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:41.879{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349608Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:41.879{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349607Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:41.879{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000003349606Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:41.409{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B18E0662AFCD55CF239516CD0482DC,SHA256=C8D21EF4C61C718C9CCD3560352C72EA65295B815B898EA96B6844CBEE12E2A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011627106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:12.408{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49552-false10.0.1.12-8000- 11241100x800000000000000011627105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:41.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:41.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413524AA19FCA6B345BEC619CA972087,SHA256=8D4C58F03AC76B475878D2A6660932DA28D9BEE994FBE5684A83584AC897E4FFfalsetrue 354300x80000000000000003349605Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:28.286{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50095-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349610Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:42.461{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE96F78E7D7C3A926BC1B6156F5A06A4,SHA256=32760CBD584B633EACCB2B9F6EDB08EE42AE34FA2151F81F0C9964D4C7085E1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:42.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:42.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AB0DD622F9A62749D751936314D3C3,SHA256=A47AEF4F7656B8E5117A0BD17E704AFEBC0ACF49F442C79530915316683A00F9falsetrue 23542300x80000000000000003349611Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:43.483{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FDB721C2A5E61C3C2DB231F23DA306,SHA256=EC15460318B89AE8AE3F08537C7FAA9EAE10D4DAB0775DBA63F1F3452E434BB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:43.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:43.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DCE77D62D909C56C04AF95B05E4E7BC,SHA256=F7CD3A9DE7FC39E858F63657ADD5ACB6933B8BF70E26B19DC44EFED49C75325Cfalsetrue 11241100x800000000000000011627112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:43.334{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x800000000000000011627111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:43.334{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x800000000000000011627110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:43.087{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:43.087{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58913DB871FAC546B1DB84D6B09385D2,SHA256=83100358188E9473C9F21EBC5C34058210F6F48B9FB24F2D24D2C424DD0C2DB2falsetrue 23542300x80000000000000003349612Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:44.485{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D6B2E4DB1FBB7CCBB45AB3A880984E,SHA256=CBEB09F5BFE6C8DE90AB87ECB830CA67D22E243D9BBEBF2FFD2B84843B7BED60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:44.890{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:44.890{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=74A221514DBFCC17E7B127A2B3A0A3C9,SHA256=344346365F428C44E233BABB2DF01D4EE5E3C26D0665C34A76B77F45DF2B8375falsetrue 11241100x800000000000000011627116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:44.089{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:44.089{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062F862A2EA38A4C1B9E8E7356051C5D,SHA256=45482BAD59C3B8BE585E98762525647E6F8383266D365E1602C36B8F87135DA7falsetrue 23542300x80000000000000003349613Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:45.504{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A6455F913EC2114021AB87C63EF878,SHA256=9518D24FDE78683834B511087E435AE2C97066EC9A2B2A1B8B3998DE3D7F87F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0F16B801FF1D06099769516744ED4A27,SHA256=B9BA68DF3B99E9BE8A0E7CF7A3A7ECD6F8C15545D1D75A2C89C8C1B8971A7B77falsetrue 354300x800000000000000011627143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:16.666{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49553-false10.0.1.12-8089- 10341000x800000000000000011627142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.354{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.354{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.354{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.354{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.354{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.354{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.354{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.354{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.354{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.354{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.354{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.354{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.354{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.353{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.353{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.353{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.353{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011627125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.353{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000011627124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=88D6C1EABDB46405AA92C5D416A15E3E,SHA256=8AB7A133C568EEF7EB68E2B4BA7539768ADD39332D9B06B61ABDAE3791B0D596falsetrue 11241100x800000000000000011627122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4A4F4ECBD930E7DC884C03C97F02A9C,SHA256=E08DFFC91B451FA768199022859899D2483B7F7A89D1DCBFE0A3FB087DA9F952falsetrue 11241100x800000000000000011627120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:45.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4E32BDABAEF69E34589BF4BEC91A56,SHA256=67A1301472AB6596170FAC1C134A53752CCFE0F48532705BBD7C5CBA8DA97B9Efalsetrue 23542300x80000000000000003349616Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:46.507{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8483067AAF93B52037DA3026D74D6160,SHA256=EC7B4B369A2AB992F3D8DEAE1346AF295FA0B3C0F8392E30C7950082307EF6D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011627148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:17.484{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49554-false10.0.1.12-8000- 11241100x800000000000000011627147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:46.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:46.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6FEF236C5A439343D068B7F67E3DF6,SHA256=8A5FE3C35CD2B7D6E12BC608E114FB3CAC4A210A4B3D8DDF87079061E96DC98Cfalsetrue 23542300x80000000000000003349615Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:46.306{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8726B40A3075BEECD659D2129797A69,SHA256=5EE4ECEBC0E1BBF85DD082973AF6956B8ACC4BCC6FB2D936A56C52BE487DD6EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349614Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:46.306{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F914661BB1E7DBEBB9D88C19D1D761D,SHA256=27CF7159F5790561F7CBBC03E2F4B9AD9572299D9D8CDDC93AECB176BB332772,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349618Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:47.510{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67307C56CB285CE5B9E806C2E29DF094,SHA256=56A4C2A80A5F4BB0CD7F609694000EEFF5568DFC713175F4BBB2F8E4137E3995,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:47.110{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:47.110{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D623F8D3A291075A93E6CCDD2C48E6,SHA256=23D9046881BE0585860DD7780E164903634585AC26F32EED5AC2CE4705B31785falsetrue 354300x80000000000000003349617Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:34.286{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50096-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349620Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:48.512{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6A475671AFE4DAC52654B32BFB05AD,SHA256=9F1776550D3E4AF96F68CA4A19D971F8B2F1F67F14E93819DD3336460F084200,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:48.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:48.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AC826BC15DDCBAB5FB63C5BAC3A8165,SHA256=51B3B320C51515B048BC3A15345EABC2024005B5FA233C2DAAF0DC38795FD6FDfalsetrue 11241100x800000000000000011627152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:48.113{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:48.113{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056A50FAF8821C1E428F1FB49D7ED6D1,SHA256=55C22724B6B100184911526AEE5D2A0B5F80D29545C9CA00B1B3AE3CBDAB31B0falsetrue 23542300x80000000000000003349619Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:48.276{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-15483MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349622Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:49.515{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01537CCF7189DFC5E8B8FC9EE49BB194,SHA256=8CF41D29B7AB0CC2C7E022958066CE4906F313863D1E2C010EB1B72C0075FC70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:49.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:49.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E89D9CF3D29D90E5BB637003430DDBD8,SHA256=E2F570F6A64C3044B814B01C514447F0B1507029ED1225A0E074CB2C93F62249falsetrue 11241100x800000000000000011627156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:49.132{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:49.132{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA95BE2AD71FC9A86101C9E9C701837,SHA256=9E73321F72177CBEF03697224315F5FEC1D92A6044FA47BF3F22FC8F049F9050falsetrue 23542300x80000000000000003349621Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:49.277{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-15484MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349623Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:50.518{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE4AA92E33287915BFE7613D7098069,SHA256=5858BDD848BC307400216BD76A2024C4C63CE2CB4F5268EBAC262F954C0A3240,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:50.704{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:50.704{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=62110C40B78EF4FB1965F8C53A38EF5B,SHA256=3E608F69C4658D6669AF37A80882B6DE81CF4D7434D4810FC68D8F2277268F91falsetrue 354300x800000000000000011627165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:22.517{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49555-false10.0.1.12-8000- 11241100x800000000000000011627164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:50.403{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:50.403{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1AD351156FDDC7B8620FB0D5C9B9F0B6,SHA256=908CE91EE50955DA479A4538791DAF9462B385F3BC1C400D1D29D0F031EDF756falsetrue 11241100x800000000000000011627162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:50.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:50.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67692657E645180806F44B2F6DB48AD3,SHA256=DC90A372FE3218AB590D90D7EC8486837C00D72299FD1F4DB146A236CB883EA1falsetrue 11241100x800000000000000011627160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:50.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:50.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4532BB1B971BC244072342839196D8,SHA256=7CD657828C4C47D9513216A3E6BB48BEA5582385A71B950FC1B9A95E42C14D1Afalsetrue 23542300x80000000000000003349624Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:51.521{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A32B56C4E95FB32A1E907EAA554AB2,SHA256=1743AB02F5C8E988F55A52DE5DDF3640298926E9F4E8040C1F143CBE0412B26C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:51.136{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:51.136{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B6919096F01814CA5328E994204127,SHA256=C99522A34A2A61D18B9C0A7FE483B59A3A726E6BE733078588D36957DB925FFDfalsetrue 23542300x80000000000000003349628Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:52.524{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B064441865CE6FE7B66CCEFCA5C700B,SHA256=E7957ED68DD3039A4309912E05FE87AA071641FFEA5C2AAAF5A906523C949727,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:52.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:52.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A72228021325E013E6C51623F8D691,SHA256=524B0D367ED1870F19341E8B2888CF2673F3BC282A7BC793F5345A5BA78B63F7falsetrue 354300x80000000000000003349627Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:40.219{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50097-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349626Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:52.239{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E13B8513A70AE7D04FC12EB18C326138,SHA256=66CF347FE32B3EDBB5389B51BFEE7F34D0D88A6D0DC42FC4153AB753C7D93435,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349625Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:52.239{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8726B40A3075BEECD659D2129797A69,SHA256=5EE4ECEBC0E1BBF85DD082973AF6956B8ACC4BCC6FB2D936A56C52BE487DD6EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349629Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:53.527{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A394715F51C995F5E2C56159A3F7FC,SHA256=88D4CA6ED6263454BB836F22014158599114FF3C6BA7177ABA9BE108A750DA72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:53.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:53.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3FC677C46F34C479CEA4435B21FCD9,SHA256=F94A86CCE01566453B6D9A5AA9C2BE3A0F2BAC26C25DAEBE682EC56C152DFF37falsetrue 23542300x80000000000000003349630Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:54.530{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447C3B055C47C40B41EA36B3C6963C6E,SHA256=95F31DD72C81193471E7AB1EA67393AA4EDD82223CD0C7F1496C3EE648E17CDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:54.179{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:54.179{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C02DE01405E5E856C1E309039113FB,SHA256=C768377A6F2EA9FC1A780DD52E78C1811E691F22322A0BF3F6023FB6DC669C66falsetrue 23542300x80000000000000003349631Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:55.532{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BACB07702523941CA12F18FACACDCCF6,SHA256=F10D66F5BAF04834FAE158FD8160CD04ABD579A2A5949BD7523C725E1A189404,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=02018FBCD9C0BE3D3DFBC6BF8DDA7E11,SHA256=CC646C44B5A23C2D65015026B21111EF0A8C612D5EB3BDC34CA37B677580C202falsetrue 11241100x800000000000000011627187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.448{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.448{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C9E5539AF5C4E6DAA919F30B277BBEDB,SHA256=AAF5484C909B8E62869C30A14BA21832AFF61FEC69D7CA4E23C6DD68601C0485falsetrue 11241100x800000000000000011627185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=854C81DE601D3849B942749C2E9D6537,SHA256=834543FB497EDB6E7C0984B1B28FA8AE13DF6D8C44C38ADB3305A59A55CDEF03falsetrue 11241100x800000000000000011627183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CB1D36B0588432D14D7552C123BAECF,SHA256=D8CA4D9CC911DBBFB0EE42A56C52D66858FA300F92A4BF62239A622891F00728falsetrue 11241100x800000000000000011627181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 11241100x800000000000000011627180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB0745479398D0981A626C46F1D8A4F0,SHA256=AFD2724BB988107F2B7EA6C60D2F4A94A11CC376056E854676CA50645AE688D1falsetrue 23542300x800000000000000011627178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842F118A63D2C7B58917614C5CCFEA6B,SHA256=B1712A9CDDF0C9C9BF8E260386E90CDC98504DBC87D19185F506BF46ED7644E4falsetrue 12241200x800000000000000011627177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:15:55.063{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000011627176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:15:55.063{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000003349632Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:56.535{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26643391B9B0512B4C5CB28AD42CC345,SHA256=69F11E4A2B992E70E8FC8DEAE243DAE7AFAA5D9B16DB5765FDCD275D7C55A63B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011627196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:28.395{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49557-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x800000000000000011627195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:28.395{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49557-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x800000000000000011627194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:27.593{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49556-false10.0.1.12-8000- 11241100x800000000000000011627193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:56.318{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:56.318{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101E6B54C78E52DFA5BF942C43DAA052,SHA256=D293EE8137E8D1CFE58E848488D81035351C205CB6A8E5180A16218172DF1B89falsetrue 11241100x800000000000000011627191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:56.265{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x800000000000000011627190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:56.265{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=977DB18E486E77A7757240D8E73CFF94,SHA256=F1A3F3E525739023E6DA5ACF728C45FC8F1B995EC4BBA8DA1F270902D1A597AAfalsetrue 23542300x80000000000000003349633Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:57.538{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B9C9EE7F2BC482B8E0E00530F5EC64,SHA256=150194FE87020366FCB74C830FAAE7E3A26B2EF56C74A4A0062AEE3D007685C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:57.321{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:57.321{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20EF4AD9CA855EA7BCB4E6643628D955,SHA256=9CEB877676BE454E25163EA80C000E482950BEAEE68961A1593CDEDA65E13D7Cfalsetrue 23542300x80000000000000003349636Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:58.541{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD78B0DD9F37933E44E63E57021541F,SHA256=D40EDACB9F1AB9496E3146DB7287F51F6296CC178D18CE2B3454F190687B278F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:58.324{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:58.324{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A0B83F1914C025010F0B80120DC0509,SHA256=61E3C9691EC67B6A7866575DE8507C7B36E0230CC2E4A7A42D0703ADC2C61BD4falsetrue 23542300x80000000000000003349635Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:58.187{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9DCF24ECBEB5DD3C33C54A21D25698F,SHA256=12F06E7E433751EF503484E8D3FEF439D2094CE04EFD644708CD9380A5EEB4E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349634Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:58.187{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E13B8513A70AE7D04FC12EB18C326138,SHA256=66CF347FE32B3EDBB5389B51BFEE7F34D0D88A6D0DC42FC4153AB753C7D93435,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000003349638Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:46.236{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50098-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349637Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:59.544{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA26CAC2E5D6D5E68ECA011144AB489,SHA256=1CFD207D20E61413501CB0355DE9858DA1AA7DFD94CA3241947C2E54F5B821D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:59.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:59.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7DBB2A3D33DDFD0F8C4BA772E7159C21,SHA256=D547988D127FE2F24BC0BC25AF8F0A4817BA383BDE431762F60CDCB85801B620falsetrue 11241100x800000000000000011627202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:59.327{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:59.327{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18EF9EDFB67D294FCFA6F2E4964D8B0,SHA256=9CCCCEEDBC43BF1683F0099A7B4E7C52D34ED829290DE90CFEB52C99CD07C952falsetrue 23542300x80000000000000003349639Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:00.547{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C13E4E4A7C6238AA9E03D8502A6F891,SHA256=1F18BB8640216B22CDFD155F42B3DF8B9C4BFBE271239CE8EB95A65E3752C6B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:00.796{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:00.796{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=515489A9F25BB8B93C235C1F345549D1,SHA256=475806B0A67A0437C96D20B87E5B88DFF05B6BDF21C31E3B7D3930EDEAADFA71falsetrue 11241100x800000000000000011627208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:00.529{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:00.529{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=39C2CC4D05CA596046ACB03AD8F2A216,SHA256=93C8104C2D68FA448E6C3CB933B5C4E9D3FA2C152E86FCC0B7037907B3BE132Efalsetrue 11241100x800000000000000011627206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:00.529{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:00.529{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF286BB17E6F28E1D5F33A4F74B6AB9,SHA256=C2C0EA0A56DDDC836BA3778C373EC42B215AE8A10098524AC82D4B5E6B097DD4falsetrue 23542300x80000000000000003349640Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:01.550{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF82FFD6C8965D638175ECE137DE102,SHA256=509387464ADAE2D0CE00214B96905E9E4B03D418C0BC78C496B1DCECFEE3314F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011627217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:33.375{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49558-false10.0.1.12-8000- 11241100x800000000000000011627216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:01.531{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:01.531{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F943CCF1AB15109DF1F4FF8BAA6EF327,SHA256=94D191E5FDD09C20F0295D4AD671811DB87D2B0B68A323BE56856F5A7918E3E0falsetrue 11241100x800000000000000011627214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:01.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:01.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8B8BD1398299F3059EEFC1E6B76A0BD,SHA256=FE3706E570DF504E64D8BAC1BB45EE3506945CB3CE18D16DB39FFC594105C56Afalsetrue 11241100x800000000000000011627212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:01.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:01.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CB1D36B0588432D14D7552C123BAECF,SHA256=D8CA4D9CC911DBBFB0EE42A56C52D66858FA300F92A4BF62239A622891F00728falsetrue 11241100x800000000000000011627219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:02.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:02.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4F67DAF33A9FB0178A2C807119D0EA,SHA256=A1268861B8A68B029E6D7A6969ECF675EC55AECC62DB09362D85FAD04E2FC267falsetrue 23542300x80000000000000003349654Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.553{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F1D9BE0179CD79D58E30CB5F41F0B8,SHA256=53A8CECE591D806A69B1E3A02CC292E47487B03AE190D44A69E520FC24AE2C9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000003349653Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.368{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CAC2-6140-6BB8-01000000F101}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349652Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.368{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349651Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.368{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349650Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.368{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349649Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.368{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349648Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.368{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349647Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.368{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349646Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.368{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349645Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.368{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349644Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.368{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349643Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.368{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-CAC2-6140-6BB8-01000000F101}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349642Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.368{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CAC2-6140-6BB8-01000000F101}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349641Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.353{AEE49BD1-CAC2-6140-6BB8-01000000F101}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000011627224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:03.552{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:03.552{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27C40DFF8421387DFD45338E3A352C8,SHA256=021A8BCE234B1FDB177F6199FEB351415A362354BB612E99818D785DFD2E3A50falsetrue 354300x80000000000000003349684Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:51.250{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50099-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000003349683Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.756{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CAC3-6140-6DB8-01000000F101}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349682Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.756{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349681Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.756{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349680Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.756{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349679Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.756{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349678Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.756{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349677Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.756{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349676Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.756{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349675Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.756{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349674Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.756{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349673Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.756{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-CAC3-6140-6DB8-01000000F101}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349672Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.756{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CAC3-6140-6DB8-01000000F101}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349671Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.741{AEE49BD1-CAC3-6140-6DB8-01000000F101}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349670Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.555{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19DB0BF59E1847F00AF3334EF38927A,SHA256=75D99E0746AC7AD231402197BCE5050609E1D73FAE2E3992958DF7DC05E38663,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:03.537{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:03.537{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8B8BD1398299F3059EEFC1E6B76A0BD,SHA256=FE3706E570DF504E64D8BAC1BB45EE3506945CB3CE18D16DB39FFC594105C56Afalsetrue 18141800x800000000000000011627220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:03.399{4DF467A6-3F58-6132-2600-00000000F001}2848\lsassC:\Windows\system32\dns.exe 10341000x80000000000000003349669Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.170{AEE49BD1-CAC3-6140-6CB8-01000000F101}48482532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000003349668Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.170{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9DCF24ECBEB5DD3C33C54A21D25698F,SHA256=12F06E7E433751EF503484E8D3FEF439D2094CE04EFD644708CD9380A5EEB4E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000003349667Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.054{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CAC3-6140-6CB8-01000000F101}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349666Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.054{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349665Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.054{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349664Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.054{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349663Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.054{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349662Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.054{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349661Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.054{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349660Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.054{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349659Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.054{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349658Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.054{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349657Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.054{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-CAC3-6140-6CB8-01000000F101}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349656Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.054{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CAC3-6140-6CB8-01000000F101}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349655Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:03.039{AEE49BD1-CAC3-6140-6CB8-01000000F101}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349686Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:04.557{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F619888729D827BF74DC3E71644987A7,SHA256=7CDF46F889BD2B2DD49AA88E7454E5DE19BB39A68D25F6D0800BDC690C6EFE48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:04.925{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:04.925{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B43A7A8BACC640AED858385EFA90A811,SHA256=F815AD6D76CC481C05FAF8880A2CAF6A2B626D3814CF13C852434407B12FE83Dfalsetrue 11241100x800000000000000011627226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:04.571{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:04.571{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645478F47CFC935B8762389D69AEC824,SHA256=4E68CB1BDEBDD5DFF00324A7C4C4911A1FD5A3F14174603973C371FD6814DE4Cfalsetrue 23542300x80000000000000003349685Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:04.203{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6664614AA33218CF301E65412915D344,SHA256=67B18AFCDAECE18A25494C95FDFAC3851468769CC13DE1DC41D29389FF123F6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349687Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:05.560{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D09E6088814CEA657E68DD7F2A6FAC,SHA256=32A91B90804DB0F78C20D7CA666D7C72488485E418C116C83F1347E958D9CFE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:05.842{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:05.842{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B313F6500E45E6351CE8BD9E81BF164B,SHA256=C3342DA09CA785FB2F097383E82CA34949DA731298C933B410EF05836DF251BEfalsetrue 11241100x800000000000000011627232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:05.572{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:05.572{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6E188A4041EB07D4050AD422E1CFD7,SHA256=49DEB2E149494AFA898A4765E8766232E2595B2ED7BF4E3E073FB41A1B442D68falsetrue 11241100x800000000000000011627230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:05.541{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:05.541{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8F4101CD7978AE4411152C00C5263D3E,SHA256=B90A6E130C8D695F35AACEAE83B83CE66CF664F23CE4C47881FC464FEE812BEFfalsetrue 23542300x80000000000000003349688Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:06.563{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F089BFE053ADA9D54774835A16E8EFDB,SHA256=132ADC652F5FFCBDAC55D7B6EF5E8FE9BDBAF0E127870D31CB9DD0A75296B2D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011627239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:38.557{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49559-false10.0.1.12-8000- 11241100x800000000000000011627238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:06.574{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:06.574{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFEAB15962A6E77B0A68C0349B3C84D0,SHA256=1DB90633FC2FC76543DEC8DA59F9BA44EA93FA0E056C5CC7B77AD45A9B669183falsetrue 11241100x800000000000000011627236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:06.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:06.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C51549457EC6203C9CAE0BB83E6E8450,SHA256=635F70C9811347509CB4CF8D89C6D3E69483DCC76FC8BA29F3B6728A9A662A76falsetrue 23542300x80000000000000003349689Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:07.566{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2DD6D57BB1D21BED02A1FF740F2428,SHA256=1E85686682C4CEE964AC305AC358F28166B4C3A609AE0710ADB2169CCBC87869,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:07.644{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:07.644{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266AA65565AAED428453398AA43D4D1F,SHA256=82D527F595D97B3FFAA512004638C53719617E3014200401509F2FD920A718B9falsetrue 11241100x800000000000000011627245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:08.647{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:08.647{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC5EB6E5565EC1D6639A870A475C52B,SHA256=8D19B2418B3A2586CABBBD9D1699C1EEB5E983B0A9A58CBE4E0C33F62122B167falsetrue 23542300x80000000000000003349691Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:08.569{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527372A0550870F3BAD01373D4747DD2,SHA256=F5A1BBF2E2C65F34730551B11C5467530553148B77A7D5C9DC5BF9D598D712C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349690Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:08.369{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:08.531{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:08.531{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86C56297805784A79A0FB66C1E17FD9D,SHA256=8860C0AA995323DF71DBA610A5FA7E08F64A515781517D5B2A0910ECDBD0312Efalsetrue 354300x80000000000000003349695Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:57.436{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50101-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000003349694Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:15:57.166{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50100-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349693Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:09.572{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C57F0E8B9E2C819E7254C746ECFC720,SHA256=7644B7E7500D18E521C0E34AC8FD0AF7BACAFE4D2D331018B80B23491038E342,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:09.982{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:09.982{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=465F0EE73079369A70CA49A521CA9C79,SHA256=62E996A163110FBDD8C0910CF6BCCE6E8BCF2BA872CA035AF27827DEDFE3932Bfalsetrue 11241100x800000000000000011627247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:09.650{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:09.650{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB9079FA7210FC32CAEB1E11243F066,SHA256=8D659ECA4359D17C3A148FE2E394DFE8B5B559F91577AEFDC1A0C5E4040ED775falsetrue 23542300x80000000000000003349692Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:09.086{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61EBFBA07B22E19953167E54A9EC2353,SHA256=7165F9736D70E9F023E27255C44047132210ADB088E798AECEBAD00F3F389833,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:10.900{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:10.900{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BA671B1C445D05C1D52AFC1FB64B4B86,SHA256=108E9FC16095281C91DC4DF7613D219BAC3D69B69903EDE543E05DCE96876CD1falsetrue 11241100x800000000000000011627253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:10.653{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:10.653{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959C21953E5D23D36A9EC0D9D034527D,SHA256=75C47367ADBA81702EC1B7324AA0738B849629A7FB4809EA1A389EEA75384045falsetrue 23542300x80000000000000003349696Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:10.575{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1880DC4ECBE43F06807D6509E83CC5B,SHA256=53DFF20C0462D3FA67E9BE2DD3057432DCAF6534B414F7A769A32C2C9428D353,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:10.583{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:10.583{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=84F36A580B8E04DD97CF7B722CC1DC24,SHA256=552EF22ABA76090C6B5EE4C137906FD6C9A3E28D50F9B9B36ABD24A52693EAFCfalsetrue 23542300x80000000000000003349697Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:11.578{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0359EC5C5713E1CDEEA2659BC21857,SHA256=3CB6B124729F36D0B8740D2202348A430EC6DEF09E153055AC04AD42B7CE033F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:11.687{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:11.687{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000E10F576740BC007B33651215F81C9,SHA256=16E64397D8C485E67DD0B58E9BC7BEF58D4DB3E50CB4F75A9412DE67E9CE56F1falsetrue 11241100x800000000000000011627261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:12.724{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:12.724{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECADE473498880171F76B69C2213D5EE,SHA256=054A409DD69C7202BE655665CF693DA97EA530FCC91E8F1EE86F11EDDEC1183Ffalsetrue 23542300x80000000000000003349698Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:12.581{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A851E43A68449519FCE1B12E3C431D5B,SHA256=46002B6F23F664C23F7FDA67DA838998452356D4246331247ACC2E1E9F0F39BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:12.157{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:12.157{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C1E15650D1E2DD0E284C7D2DC8E2938,SHA256=D8FBE57891556A3AF741DFA72BE34949750B4AA38648927A01021C94A089BAE2falsetrue 354300x800000000000000011627264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:44.485{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49560-false10.0.1.12-8000- 11241100x800000000000000011627263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:13.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:13.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE7CF13DAC73F62FBDC7F1CFA74F8A8,SHA256=EEC72A1B5D7288DF0C4F7B97E14E5066B5EA89E62C302617015039FF07BCD613falsetrue 23542300x80000000000000003349699Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:13.585{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC24837760383E0E15A98C8C15AFF320,SHA256=D11F5B8B2E4E1D2076A12CA51B7244819B623E84B8E7BE241004D201792B2200,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:14.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:14.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B5C2C3BBF4FBBFDE9E2B8D0BB157F6C,SHA256=B4ABFA97341FF832CB1E9988CCD9DFE2F39362E795DFAE082CF421DB1322451Dfalsetrue 11241100x800000000000000011627266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:14.796{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:14.796{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F19E950389D98ACB182C130528D4E0,SHA256=9E168C83DB9EEE604CC542F04F77F4A1E3630F95FCE81D19A0D51D4DFBDCEDE8falsetrue 23542300x80000000000000003349702Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:14.588{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CA7A83DF36CA2CE19C01617BAFD4E5,SHA256=7705F8B0FAE5F822C69F1D68F7558014385ED6EB4EAA982963990D2DE8029044,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349701Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:14.251{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=880451C0E25FF102CBDE57AFFDA9885F,SHA256=5AECE9D05D40BB7A6F25F4C356A3AD9B8E77E0D89F060B33F2E82370337F929B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349700Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:14.250{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53CAD67C85DDBE2FB403B16843F3AFFC,SHA256=B3E8AF73C803EFBD2835CE820156D456461AC9448D4BB494A1B25EB716BB9AA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:15.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:15.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3BFF7453DCA4C83B68E8B368E54FC50F,SHA256=9331BB54E8937D28B24EFDBC404B5207FAB9D346E53A94C4D3520FA7CB4DF70Efalsetrue 11241100x800000000000000011627274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:15.796{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:15.796{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AB6DDDEA2818694926A3BBBEEF59FD,SHA256=392A111982747CAB82982532A38C1AE99DAA4E044ADCEC9E9C339AD64A851887falsetrue 11241100x800000000000000011627272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:15.634{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:15.634{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CFBF6CE38176260DE10B74F14EA0B802,SHA256=D1CD94BAF1B98E680E922544AD4B289140616544061478211C6CBF896ACA7EF6falsetrue 11241100x800000000000000011627270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:15.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:15.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B04C5D1429C19EF4B671208E5BC2304F,SHA256=80875E7F054B3B4860C3C84DC263EF2026FC7DF1E25D877059DC2D38771B3DEBfalsetrue 23542300x80000000000000003349704Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:15.591{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424AB222A8111DD431CADFC663844C87,SHA256=3BCC226D96E9D54DF9E94D6CC1A02AA3A0E3A7221751A38AE782BFD02F3403AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000003349703Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:02.331{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50102-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349705Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:16.594{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753011F775396FEFECB9A52E33EE8338,SHA256=15B87977597368484236C478AB93FF555BA04E91E85C013B30DE20FD6A7F1306,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:16.799{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:16.799{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E0032AFDC82CA0AF468DA5A5E44925C,SHA256=79F4714FDB0CA1CD6E72EE0A406CEF9FD37C64130648A969BE4EED06E101E406falsetrue 23542300x80000000000000003349706Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:17.596{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2F96396423247EEDBF3725EB8F3433,SHA256=7A277973E02ECEDE1AA2A8D5710DEF7A1A57FD5552149346F946C897700DAC52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:17.800{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:17.800{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4DD4CE5172FB57268F1A276925ED5F,SHA256=61FCDE45ADEA9E853C1C04CA278DB9F0EEBE0F7FCF7944463D54D888C912D5B6falsetrue 354300x800000000000000011627281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:49.513{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49561-false10.0.1.12-8000- 11241100x800000000000000011627280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:17.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:17.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FD8EE27E24E2FD562943EC57B35A55F,SHA256=4E3EE0B9131BEAFEAB64AC5A60C04622C495A8EA814F78A2F298D0686E69E5AEfalsetrue 11241100x800000000000000011627285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:18.803{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:18.803{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=537FE130F971C58C5BCC0DEAF533225C,SHA256=721D329E9C9017E3375D3FD250AA9BA19696F71C8222CFC5191B20C5A8A9FE8Afalsetrue 10341000x80000000000000003349721Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.831{AEE49BD1-CAD2-6140-6EB8-01000000F101}54923852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349720Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.699{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CAD2-6140-6EB8-01000000F101}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349719Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.699{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349718Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.699{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349717Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.699{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349716Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.699{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349715Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.699{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349714Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.699{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349713Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.699{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349712Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.699{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349711Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.699{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349710Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.699{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-CAD2-6140-6EB8-01000000F101}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349709Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.699{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CAD2-6140-6EB8-01000000F101}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349708Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.684{AEE49BD1-CAD2-6140-6EB8-01000000F101}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349707Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:18.599{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59C7889E2B003E2BE3168A127142C80,SHA256=F3C686216DD693C311C1590EC287F35539153528C15A6CB4E16049CD2839EAFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:19.806{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:19.806{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4D1978C29FCFDA1C0A4FC9180226D9,SHA256=C0EFF376F5977BBCB801CB5FFC3E5828B86DFA787F21CDC60BA1250A7B6D2D2Dfalsetrue 23542300x80000000000000003349738Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.686{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6152B50C2FD8C5DB6B33938BBEF6686,SHA256=1259DB42678BED6E67D75308165C7D01A3F3239DD660B7B1B0AE042C0DC5F60A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349737Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.686{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=880451C0E25FF102CBDE57AFFDA9885F,SHA256=5AECE9D05D40BB7A6F25F4C356A3AD9B8E77E0D89F060B33F2E82370337F929B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349736Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.664{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0A3475FEF162BC3E03124ACE993F9A,SHA256=F5887CAA0BAEE13049DFD33934DC99BB5BF9ECEB0221A3544109E2E66D73907C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000003349735Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.501{AEE49BD1-CAD3-6140-6FB8-01000000F101}59445580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349734Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.370{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CAD3-6140-6FB8-01000000F101}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349733Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.370{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349732Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.370{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349731Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.370{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349730Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.370{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349729Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.370{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349728Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.370{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349727Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.370{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349726Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.370{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349725Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.370{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349724Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.370{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-CAD3-6140-6FB8-01000000F101}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349723Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.370{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CAD3-6140-6FB8-01000000F101}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349722Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.364{AEE49BD1-CAD3-6140-6FB8-01000000F101}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349754Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.672{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D98B8EE9A41EECEE7C6610CFED060D6,SHA256=6A3F96380725EADC141F151D77F03ABFA0D6D7814F9E41C1F286276C987782C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:20.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:20.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7824996BBF7D89461D0BD1BEE6A23B61,SHA256=D82B6EE28D424A009450BD89D75F9D1BB671C34AA942EF684DDABA84EC1ADE42falsetrue 11241100x800000000000000011627291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:20.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:20.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=32E779A8ACF533DF6784F3E9EF2A7A24,SHA256=120B1DDA6490363FEE076376DD8540355ABE18A51B323F2FE6E23AC8547E9D32falsetrue 11241100x800000000000000011627289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:20.091{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:20.091{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8AB6461C7480FD82A244ABC75D195CBF,SHA256=36CF936EEBBBC70BDBBB40672446C77EF7D00BD4FAFDE0E6B05AA69BE7C7215Efalsetrue 23542300x80000000000000003349753Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.218{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3E144B56F4FB567B393103CAEC5224EB,SHA256=70C2FD0DC60F3E61FD13E0E1DEEC39191F27BA4DE15F54E5A2F43FCB772D6319,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000003349752Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.187{AEE49BD1-CAD4-6140-70B8-01000000F101}60526128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349751Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.068{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CAD4-6140-70B8-01000000F101}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349750Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.066{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349749Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.066{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349748Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.066{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349747Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.066{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349746Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.066{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349745Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.066{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349744Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.066{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349743Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.066{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349742Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.066{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349741Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.066{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-CAD4-6140-70B8-01000000F101}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349740Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.065{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CAD4-6140-70B8-01000000F101}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349739Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:20.050{AEE49BD1-CAD4-6140-70B8-01000000F101}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000011627312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:21.811{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:21.811{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A1C9B5E19DECE3084F33E5EB498239,SHA256=0D4E4E59CD868736F9667C955663C89900CE7AF5DD0BAC1D7A78D7F612505101falsetrue 23542300x80000000000000003349757Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:21.738{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA13A5406F7AA00719712ACDCAE50BC,SHA256=CDBFC6DDD97C340EF7706B054020D089CF524958C0316C0D53034F3216FFA6FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000003349756Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:08.183{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50103-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349755Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:21.089{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6152B50C2FD8C5DB6B33938BBEF6686,SHA256=1259DB42678BED6E67D75308165C7D01A3F3239DD660B7B1B0AE042C0DC5F60A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000011627310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:16:21.747{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000011627309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:16:21.742{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x800000000000000011627308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:21.727{4DF467A6-3F58-6132-2D00-00000000F001}2968\lsassC:\Windows\system32\DFSRs.exe 13241300x800000000000000011627307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:16:21.727{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 12241200x800000000000000011627306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:16:21.727{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000 11241100x800000000000000011627305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:21.727{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML.TMP2021-09-14 16:16:21.727 12241200x800000000000000011627304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:16:21.727{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 13241300x800000000000000011627303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:16:21.727{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Config SourceDWORD (0x00000001) 13241300x800000000000000011627302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:16:21.727{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML 12241200x800000000000000011627301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:16:21.727{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 11241100x800000000000000011627300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:21.727{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML.TMP2021-09-14 16:16:21.727 12241200x800000000000000011627299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:16:21.727{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x800000000000000011627298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:21.428{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-15491MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x800000000000000011627297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:21.427{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-154912021-09-14 16:16:21.427 11241100x800000000000000011627296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:21.426{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-154922021-09-14 16:16:21.426 11241100x800000000000000011627295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:21.009{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:21.009{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CA01FBBF5228A6621DCB548656D1477E,SHA256=0425091810BE1BFEE488DBF3D3899CA953883B63AB791F2905DFB623CABCA7BFfalsetrue 354300x800000000000000011627384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.070{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49563-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x800000000000000011627383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.070{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49563-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x800000000000000011627382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.059{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49562-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x800000000000000011627381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.059{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49562-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 11241100x800000000000000011627380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F0C82DE9A8CB67F83B2DD495E0116B,SHA256=55A732F5D3E898895E936D7F3985F6639E0F0873884A80D1BF6EA0134F956180falsetrue 23542300x80000000000000003349758Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:22.774{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD2F0210E316CCE300637D7291E4C16,SHA256=27A08713966E4886CC953CF270F164614E38A86E8420321808F91CE6FFC62F87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F5B78A9813F0578389F61B14EBBA58A,SHA256=99C9A644A3CD07E2D68D864596CFB8AF1848CBF90A361C5EFCAACDBFB291B56Afalsetrue 11241100x800000000000000011627376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17C6328F7F7AF63B17152A38E8240CBF,SHA256=169C115D05E40AABA7E4420BBDE026399014CACDAC0C707DBCA6B86CA5BA01A7falsetrue 12241200x800000000000000011627374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:16:22.746{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 534500x800000000000000011627373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.714{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000011627372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.714{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011627371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.714{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011627370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.714{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011627369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.598{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011627368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.598{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011627367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.598{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011627366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:22.598{4DF467A6-CAD6-6140-A9BF-01000000F001}8148\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000011627365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.598{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011627364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:22.598{4DF467A6-CAD6-6140-A9BF-01000000F001}8148\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000011627363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.598{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011627362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011627361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011627360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011627359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000011627358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011627357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011627356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011627355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011627354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011627353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011627352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011627351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011627350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011627349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011627348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011627347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011627346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011627345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011627344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011627343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011627342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011627341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011627340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011627339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011627338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011627337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000011627336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011627335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011627334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000011627333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000011627332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000011627331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000011627330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011627329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011627328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000011627327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011627326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011627325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011627324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011627323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x800000000000000011627322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011627321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.582{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011627320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.567{4DF467A6-CAD6-6140-A9BF-01000000F001}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011627319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:22.566{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:22.566{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011627317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:22.566{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:22.566{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011627315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:22.566{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:22.566{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000011627313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.428{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-15492MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x800000000000000011627506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.968{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.968{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01EE05560138FF3198AEAB879727F1DA,SHA256=D8454589C3F1C8B7B0ADAFB9758A4D0C4359E65775C8555C6DBC551FC0FB44ABfalsetrue 11241100x800000000000000011627504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.949{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF731BC80E8B2F15CA2F8341A0F3E7F,SHA256=AC64EF56DF762107973A033D86B96BEB7D2CFCF1EABE064F3EB9734B156F5487falsetrue 534500x800000000000000011627502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.931{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000011627501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.931{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000011627500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.931{4DF467A6-CAD7-6140-ABBF-01000000F001}13563716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011627499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.931{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011627498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.931{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000003349759Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:23.777{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9DFC56409F3D3503D7B5B4BE2C86CAF,SHA256=92A0EC30ABC02886F70EE0AB1FED03984C71F88811380CEF6BEABE12D1D5CA34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000011627497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.815{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011627496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.815{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011627495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.815{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011627494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:23.815{4DF467A6-CAD7-6140-ABBF-01000000F001}1356\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000011627493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011627492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000011627491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011627490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011627489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011627488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011627487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011627486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011627485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011627484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011627483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011627482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011627481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011627480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011627479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011627478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011627477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011627476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011627475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011627474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011627473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011627472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011627471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011627470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011627469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011627468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011627467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011627466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011627465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011627464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011627463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011627462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011627461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000011627460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011627459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011627458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011627457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011627456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011627455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x800000000000000011627454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011627453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.800{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011627452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.785{4DF467A6-CAD7-6140-ABBF-01000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011627451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:23.784{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:23.784{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011627449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:23.784{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:23.784{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011627447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:23.784{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:23.784{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011627445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.753{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.753{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F5B78A9813F0578389F61B14EBBA58A,SHA256=99C9A644A3CD07E2D68D864596CFB8AF1848CBF90A361C5EFCAACDBFB291B56Afalsetrue 354300x800000000000000011627443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.376{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49565-false10.0.1.12-8000- 354300x800000000000000011627442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.076{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49564-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x800000000000000011627441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:15:55.076{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49564-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 534500x800000000000000011627440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.250{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011627439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.249{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000011627438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.249{4DF467A6-CAD7-6140-AABF-01000000F001}59285588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011627437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.249{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011627436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.248{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011627435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.129{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011627434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.129{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011627433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.129{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011627432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011627431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011627430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011627429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011627428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011627427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011627426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011627425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011627424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011627423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011627422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011627421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011627420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011627419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011627418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011627417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011627416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011627415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011627414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011627413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011627412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011627411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011627410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011627409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011627408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011627407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011627406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011627405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011627404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011627403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011627402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011627401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011627400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011627399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011627398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011627397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011627396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011627395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011627394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000011627393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011627392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.114{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011627391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:23.099{4DF467A6-CAD7-6140-AABF-01000000F001}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011627390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:23.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:23.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011627388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:23.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:23.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011627386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:23.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:23.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000003349760Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:24.780{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6D0C1A05334C586F07A5E409BB7A50,SHA256=C4A1262B8639EA95A6F6BBAFA7D2EC1C2CA08689FDA6822D2B4DF4288CF3E9C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.786{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.786{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CF4C750F0776709F5F21ABCE223AF77,SHA256=DA0AE902EE316A909F9903AB951045354720DE8B0FED3E35761E30BDB06F3AEEfalsetrue 534500x800000000000000011627562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.616{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011627561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.616{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000011627560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.616{4DF467A6-CAD8-6140-ACBF-01000000F001}75803512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011627559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.616{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011627558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.616{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011627557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.501{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011627556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.501{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011627555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.501{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011627554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011627553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011627552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011627551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011627550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011627549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011627548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011627547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011627546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011627545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011627544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011627543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011627542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011627541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011627540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011627539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011627538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011627537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011627536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011627535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011627534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011627533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011627532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011627531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011627530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011627529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011627528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011627527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011627526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011627525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011627524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011627523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011627522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011627521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011627520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011627519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011627518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011627517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011627516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000011627515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011627514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.485{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011627513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:24.470{4DF467A6-CAD8-6140-ACBF-01000000F001}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011627512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:24.470{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:24.470{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011627510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:24.470{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:24.470{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011627508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:24.470{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:24.470{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000003349761Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:25.784{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB0C5A4169032224DFBA5FDDA58196E,SHA256=ABB435AE54091ADCC8AC1FB702E871C6AEF8E24C6514BA0CCA24C224216814B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000011627684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.903{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000011627683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.903{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011627682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.903{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011627681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.888{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000011627680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.804{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.804{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260AC5259609AE7B960FAE3454401134,SHA256=205CC6618594F5F1F49CDB974897733BB8FD84E2FBB865B330D1C04DD10D5579falsetrue 734700x800000000000000011627678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011627677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011627676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011627675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000011627674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011627673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000011627672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011627671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011627670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011627669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 11241100x800000000000000011627668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9A5CADC113279F9450ABB0A771F29447,SHA256=AA262B3B170AD11183ED1A06C5300D2E9E2C25A3E0D99E77E3913EDDD81A830Cfalsetrue 734700x800000000000000011627666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011627665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011627664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011627663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011627662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011627661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011627660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011627659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011627658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011627657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011627656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011627655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011627654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011627653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.772{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011627652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011627651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011627650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011627649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011627648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011627647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011627646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011627645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011627644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011627643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011627642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011627641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011627640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000011627639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011627638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011627637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011627636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011627635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011627634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x800000000000000011627633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011627632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.757{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011627631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.751{4DF467A6-CAD9-6140-AEBF-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011627630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:25.750{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:25.750{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011627628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:25.750{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:25.750{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011627626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:25.750{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:25.750{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x800000000000000011627624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.217{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x800000000000000011627623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.217{4DF467A6-CAD9-6140-ADBF-01000000F001}70967912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011627622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.217{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011627621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.217{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000011627620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.133{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.133{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BCDD81BE8D4B4C0708499C7C7B900532,SHA256=A73B18A502530090E2668E312373AF687A2614D018A0AE79EAD6622584CD3A01falsetrue 734700x800000000000000011627618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.102{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011627617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.102{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011627616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.102{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011627615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:25.102{4DF467A6-CAD9-6140-ADBF-01000000F001}7096\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000011627614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.102{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011627613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:25.102{4DF467A6-CAD9-6140-ADBF-01000000F001}7096\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000011627612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.102{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011627611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.102{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011627610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.102{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011627609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.102{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011627608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.102{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011627607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011627606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011627605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011627604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011627603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011627602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011627601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011627600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011627599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011627598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011627597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011627596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011627595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011627594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011627593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000011627592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011627591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011627590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011627589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011627588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011627587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011627586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011627585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011627584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011627583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011627582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011627581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000011627580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011627579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011627578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011627577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011627576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x800000000000000011627575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011627574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.086{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011627573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.074{4DF467A6-CAD9-6140-ADBF-01000000F001}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011627572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:25.071{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:25.071{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011627570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:25.071{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:25.071{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011627568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:25.071{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:25.071{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011627566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.071{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:25.071{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5BCCFBDA5658454DEA8FC9CB44BFEB,SHA256=A35F7BCDC2592D2D6B8BA16E451F621023587D5E0464CF52F60B9AB8A24E357Bfalsetrue 23542300x80000000000000003349764Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:26.786{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9906D9BDA7F23D51ACA5634AC9DC9BA8,SHA256=81EC731C3123BBFCAB8774AC9E2786EA61D0DCC16A5C5F142F70016128D4863E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000011627746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.573{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000011627745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.573{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011627744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.573{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011627743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.573{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011627742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.452{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011627741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.452{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011627740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.452{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011627739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:26.451{4DF467A6-CADA-6140-AFBF-01000000F001}7508\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000011627738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011627737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000011627736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011627735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011627734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011627733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011627732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011627731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011627730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011627729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011627728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011627727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x800000000000000011627726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011627725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011627724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011627723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011627722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011627721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011627720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011627719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011627718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011627717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011627716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011627715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011627714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011627713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011627712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011627711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011627710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011627709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000011627708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011627707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011627706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011627705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000011627704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011627703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011627702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011627701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011627700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x800000000000000011627699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011627698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.436{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011627697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.421{4DF467A6-CADA-6140-AFBF-01000000F001}7508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011627696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:26.420{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:26.420{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011627694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:26.420{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:26.420{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011627692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:16:26.420{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011627691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:16:26.420{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011627690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.152{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.152{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3024AC2CD134DD6F31C71A5CDAC5238,SHA256=E29E0EECBBDC2F8BF76F4B4C0C34FBBDBE929DD1F367FFDF9A8AE9B6ED9077F2falsetrue 11241100x800000000000000011627688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.072{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.072{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EB617CAD641CD520C5F083B14E40804,SHA256=4620990198B361541CEF6B5F5B73E8BEC3CC65C56A834CCCFBFAD1711D0A4405falsetrue 23542300x80000000000000003349763Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:26.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EFE0A76406838280828DABDF6596025,SHA256=B6938B94BB75C4257BEBA10500D2261BBCE1E8FD0D3EC8945CC0EFF209117322,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349762Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:26.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB73633EC74DA2D0E6036DDF39116E5C,SHA256=B69CBDF57B3F6D4DA7374D8006DB3C5060E6C97DAFB6D4AED017DA4180F3438F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.056{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:26.055{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=35415517CEF05CC6F24A8947AC7561BF,SHA256=FE395D1D106A164975235921B231C4F49EB6E99EAA010F088B70CBD4BFFA9896falsetrue 23542300x80000000000000003349766Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:27.791{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CFCCC2DD81A3ADA5FB7FEB5B85B3468,SHA256=C719DED93D148A0624B67C7DFA0BF627498B8134BA1A288888829F7F87C25F16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:27.422{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:27.422{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CBCFDB67FFF4B4A0067CA5048CEDD04,SHA256=A668429D474901B0C2E867EBFDE2654F1CC9EBCA4D09F586917E539559FEE1DAfalsetrue 11241100x800000000000000011627748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:27.275{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:27.275{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FC657A4FDA7D5BB2940947EACFCF14,SHA256=3C827FA4466401B3321DF162D0A281B72B7DD17BE1474CAC970C3FC74E2D1EC5falsetrue 354300x80000000000000003349765Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:14.162{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50104-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349767Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:28.795{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6958957C9C31DF79BBA95003BBCBF92C,SHA256=300637F4F74F7B85F468355BEC8BF64FBEA171483A66B6B5B88C6EF34FEAAE0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011627755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:00.505{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49566-false10.0.1.12-8000- 11241100x800000000000000011627754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:28.541{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:28.541{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48ABF0CC18DFAA5601DE3C21B984DADA,SHA256=67B5E991F3242E587A3E649F8D3705561DDC60FA688CF7F754E3977FDA8C273Bfalsetrue 11241100x800000000000000011627752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:28.278{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:28.278{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5CD717B516DA7A4AEC2F6B03D10E86,SHA256=CFDC8B996AC78F54B15712C7B6E43BE59639B21169B97106A1D4BF7DBE6571EEfalsetrue 23542300x80000000000000003349768Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:29.797{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0130B2247353B1526AB3ED4178EA082,SHA256=16C995C77688BD267A300A045099EA0B6B977368DA39D99CCC6B4D905293C3F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:29.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:29.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AB57309B05DBE8422CD11B4DE14015,SHA256=490B0548015951506C4C0880250B9958B6626D71F77ADB81D438B70876F11856falsetrue 23542300x80000000000000003349769Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:30.817{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356CD44A8354324B2B561A734039033A,SHA256=745BBCFE5DB8F9BAF842DDF0B960E4A9D69FD91FCCC147B7131F93959B5E8862,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:30.667{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:30.667{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=75A4720B126D215C3761ADB5204525CE,SHA256=EF91C01E4A62A5AA3751870A050F8B4EAAA30981AD5EDB8A670F40110AD9F0AFfalsetrue 11241100x800000000000000011627761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:30.298{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:30.298{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2359C89113308821F3FA5B92191FDC68,SHA256=DF6AC1CB21B73821E65B9449C6AB3F00DDCCA730B763599692E9266A724761ECfalsetrue 11241100x800000000000000011627759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:30.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:30.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3E3D44E7956A39D1F08200C521C95AE5,SHA256=EBFB288F39DA9189C159FB89ACA5909476A366ABEC39FE81D7A6706A507003ACfalsetrue 10341000x80000000000000003349802Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349801Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349800Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349799Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349798Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349797Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349796Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349795Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349794Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349793Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349792Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349791Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349790Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349789Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349788Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349787Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349786Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349785Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349784Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349783Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349782Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349781Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349780Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349779Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349778Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349777Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349776Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349775Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349774Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.920{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000003349773Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.820{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECE4FA5BA4263FB8125166D7B4ACB89,SHA256=BCE3CF2EE9856496B08A9377A1DA76B4B4B2A661FED1AF9D17DF5CD670CCEB2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:31.315{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:31.315{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895426856F95D272E065D799CFE7E77A,SHA256=98A337B7FC3F8015CE286E5B621FF0D7B230557FF227F67CB353994F289533A6falsetrue 354300x80000000000000003349772Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:19.198{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50105-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349771Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.118{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=676FCC934E1F6200597AB93FA81622AE,SHA256=59A00183030FC3F3A7A26B931063C6EE4E535DC9FEEB83D25778EDCCFC683E17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349770Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:31.118{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EFE0A76406838280828DABDF6596025,SHA256=B6938B94BB75C4257BEBA10500D2261BBCE1E8FD0D3EC8945CC0EFF209117322,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:31.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:31.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4517BA3AA691E117C60CB38B36715E8E,SHA256=F5DE8D7B0BA4FA7B812065E5A35CA4A7E105A50D541886BF1821B5BC723A7362falsetrue 23542300x80000000000000003349803Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:32.870{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C4A23AC24BFA00C4A92B1FFE366470,SHA256=8A235C04668103432ED2C5207159E28D8FAAB2E2FEE1BADF88AFAA5005227184,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:32.318{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:32.318{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2B887635C9028B0EC8E2BCF0C85068,SHA256=7883DB1EB72A4F3481873DE2DA145B88D14A398DB87F427F210F642D52CADDAAfalsetrue 23542300x80000000000000003349804Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:33.872{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204541E3A2BBA4B5EA0E225E634929F9,SHA256=77E38363687F11DA4D0ACD79614D9D634C60F5A8381EE0A0B5C4C8651AED4413,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011627774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:05.548{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49567-false10.0.1.12-8000- 11241100x800000000000000011627773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:33.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:33.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B79FDED09575F7BF4F830CB578A6849,SHA256=7BAD711CB39C3ED540635DA8F3109CB8B73748817B68337E988B30BBA104D1B1falsetrue 11241100x800000000000000011627771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:33.221{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:33.221{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82EE196EA6414FDD69BE9DE4C273B9D0,SHA256=21833A5C62FC3149632A81EB92B5CAD78D53524ACA4E8456BE7A044F9D618B64falsetrue 23542300x80000000000000003349818Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:34.890{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0E34351EE3AAB0EF484B32B50BC739,SHA256=3F60B954446CF23A38B24C4D4ABBA0A8EF999FE0A7E9851B5CE01097D5C0BE38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:34.408{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:34.408{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E53330A83820D7A6C5715429905A0C,SHA256=AF5EFD87A9BA4BB7211778600BFD3E687C2BB1E3D357A634F398CA2E45A47B5Cfalsetrue 10341000x80000000000000003349817Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:34.712{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CAE2-6140-71B8-01000000F101}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349816Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:34.712{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349815Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:34.712{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349814Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:34.712{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349813Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:34.712{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349812Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:34.712{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349811Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:34.712{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349810Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:34.712{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349809Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:34.712{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349808Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:34.712{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349807Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:34.712{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-CAE2-6140-71B8-01000000F101}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349806Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:34.712{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CAE2-6140-71B8-01000000F101}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349805Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:34.708{AEE49BD1-CAE2-6140-71B8-01000000F101}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349820Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:35.913{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A8D8453FC1576B6509B82696E274CF,SHA256=6151B1ED3BC82D66774379C2C4A1FA11D591A3DF6037928CB42AA3CC3A36A46D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:35.779{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:35.779{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F764807E1BEEDB0F64467DB7DCB468D3,SHA256=545399980526C0619A28A025639ADE5CCC5833F5B80A22F5B9156B01307E8714falsetrue 11241100x800000000000000011627780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:35.425{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:35.425{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55B590336D435DA69C9DE6AF4469195,SHA256=6E7D427E3DFE6EA4DDE235D82EFD3616C9D1FFCD145189F7BF7091F869080AF8falsetrue 23542300x80000000000000003349819Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:35.710{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=676FCC934E1F6200597AB93FA81622AE,SHA256=59A00183030FC3F3A7A26B931063C6EE4E535DC9FEEB83D25778EDCCFC683E17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:35.240{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:35.240{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F4F3C72212EF07ABA3B36B33B5C2A316,SHA256=4587CAF19B8411664827219DB27D8363E26B936B016F2674B0A1178AD186F81Bfalsetrue 23542300x80000000000000003349822Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:36.965{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F52A434E84BF9AB7236ACC77A3DAD2,SHA256=61D5C31EEA6B4E201FAED1D15E05327321B3FF2BA588FD07120561FD80975431,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:36.427{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:36.427{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524439399186931CEC1CD39D5943D782,SHA256=BFA353C1FD2F7B1066EAE8C3D2D2E38424F1FD665E22B37C6EC21162974EFC2Ffalsetrue 354300x80000000000000003349821Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:24.242{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50106-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000011627784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:36.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:36.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5160768E026C2593E668C98D035AECF5,SHA256=B5B26246C100A679A5FA929FC334C7570AFEFCBB84F2DE98AA5C99100A594399falsetrue 23542300x80000000000000003349823Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:37.968{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0185B458DDF83D24F771804651308561,SHA256=E20D30B306EEEBD9289C2EC4ABBBE72741FC9D45E7CDAE4445BD22D421E009B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:37.429{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:37.429{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16B70516D6D38361D7170D69D63F8E1,SHA256=A275BA16DA3DCF7C36D83EA54B76B5BCD412BBDFE7FC47910A740EB169BD7E54falsetrue 23542300x80000000000000003349824Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:38.987{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696E16ECC07275A64D3A0175AF8BA79D,SHA256=FD45EB77F4B4AE42C08EFCAB970449AB253695FFA0F95D3EBFA4C5685C7ACE68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:38.432{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:38.432{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD61D38450997CF942E987A825D60DF,SHA256=F983D2721012D8D3C7E394CC21601AFD542A92729B440A8EB0E769F1FE060B77falsetrue 354300x800000000000000011627797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:11.408{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49568-false10.0.1.12-8000- 11241100x800000000000000011627796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:39.435{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:39.435{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E8767A30DD77810962689631C96E65,SHA256=2C5B7ECDFF9D7A4AFCAF930C9E2EF7C14B93036AA7EB2C8E063E37E06BE20EDAfalsetrue 11241100x800000000000000011627794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:39.103{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:39.103{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=746D055900C8035133B6CA1E0A269C68,SHA256=01FB49E2627E8E600BA46E48AA0A4EAE9D86AE09D9E721A932160581783631B9falsetrue 11241100x800000000000000011627792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:39.103{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:39.103{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B9A2EB64B36416F57F5C12B22376FB3,SHA256=0E29577971F4B0645925527DBCAAB972DA3AAA56D08EB798D5ADAA53102138ACfalsetrue 11241100x800000000000000011627803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:40.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:40.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=74152EBEC6B22038B2CCF79CE60429AC,SHA256=91A876D00B7D0A41E749A30CBBA4736055A08B1163C267658C51233A83C97DCBfalsetrue 11241100x800000000000000011627801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:40.592{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:40.592{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=30F3079ACF82893D5FF8C4751849D79B,SHA256=1E81113BCC99BF09815F4D4D7AD84FEA459C1A0523989F10A240981020761705falsetrue 11241100x800000000000000011627799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:40.587{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:40.587{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B7AA38E4729C8A1EAB1DBF26F74E54,SHA256=B69C505AA2F841579F066CB87E247FC1A2C1FB3481E977372D15D8B74394AAE1falsetrue 13241300x80000000000000003349835Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-14 16:16:40.993{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000003349834Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-14 16:16:40.993{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x38c951d5) 13241300x80000000000000003349833Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-14 16:16:40.993{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a97b-0x846ac732) 13241300x80000000000000003349832Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-14 16:16:40.993{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a983-0xe62f2f32) 13241300x80000000000000003349831Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-14 16:16:40.993{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a98c-0x47f39732) 13241300x80000000000000003349830Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-14 16:16:40.993{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000003349829Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-14 16:16:40.993{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x38c951d5) 13241300x80000000000000003349828Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-14 16:16:40.993{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a97b-0x846ac732) 13241300x80000000000000003349827Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-14 16:16:40.993{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a983-0xe62f2f32) 13241300x80000000000000003349826Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-14 16:16:40.993{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a98c-0x47f39732) 23542300x80000000000000003349825Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:40.023{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22CF3043BAC0984DDCE9AF9050408868,SHA256=A8232572CE99DDDA95B471C567898D897A4172DD88F066424C2AAC6FC12F0062,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:41.594{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:41.593{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436C81BA1FC95C9A07286A4197372F24,SHA256=F2B2A7939126BCDCEEFEF083D0A26FA0F412DBD716C0281365426A50C0B45337falsetrue 23542300x80000000000000003349836Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:41.028{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360FAAEB6BFA7DDF4ABBCE7157D10D67,SHA256=DB757AC3A99ED4444C6929A39DBB53087298450DB459EAC2FB5FE963D0B93B9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:41.193{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:41.193{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A7E39310A33569FA77A819DAEC9E1224,SHA256=A82D640DC6BF7ADB3D0CE66289143D263E3D966A0845256B252E41490116A43Bfalsetrue 11241100x800000000000000011627809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:42.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:42.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD9FEFEEFDA2196B2986B13C0583657,SHA256=FCDE12CC576958057453BFD00B7FABCB93796B74D50A10A23A4DBCBF7EEC32AEfalsetrue 354300x80000000000000003349840Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:30.207{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50107-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349839Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:42.134{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C74D0D8D503EBC6B4E2450B25E7099FB,SHA256=20C0685E519892B766E783E130ECB358596D0C5D3A592BE464C726E7C4843CFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349838Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:42.134{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95AB67C1339272CACD0B3A30A77DA60D,SHA256=0515C7E4BA2A31A1B4E091BFD68B58BFAAD69E89A6BC650197A2C3D22B8D77B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349837Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:42.030{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8A188D09D34CEF202C5E3429A12A38,SHA256=D0EB6FC13DF41073E5801CE35367F217A0299A0AC92A2ABC17A2945E6637CE45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:43.617{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:43.617{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6454E89F7B6E6EED365898DE3FD17B77,SHA256=98E010E6C69BF3ADB022E0461AF0361184C5E4ADB1383EE34512D3494B39366Bfalsetrue 23542300x80000000000000003349841Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:43.032{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F408D3E8E9044E5AC8244E9A3A5529,SHA256=7A9414CE8F054227B3196957C0042D43766BA9671306D216ADE4A004C6C8D2CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:43.579{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:43.579{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=746D055900C8035133B6CA1E0A269C68,SHA256=01FB49E2627E8E600BA46E48AA0A4EAE9D86AE09D9E721A932160581783631B9falsetrue 11241100x800000000000000011627811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:43.363{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x800000000000000011627810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:43.363{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x800000000000000011627817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:44.619{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:44.619{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56ADE8FF72C5824E9BF16294350D9957,SHA256=6976ECAA01BBE9C665EFC26B628F9BB485610ACE490FDF8CB2DD0F3F0114645Cfalsetrue 23542300x80000000000000003349842Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:44.035{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA57294627F343C54B7306230908D21,SHA256=0BF1001C662D1C290EA0C230EF5C66FE0F14E318BFA7B148DA84BAF31C062074,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000011627826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:16:45.920{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a983-0xe9cf5408) 11241100x800000000000000011627825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:45.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:45.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5560FFBC604D286A8DD1ABAF17011E96,SHA256=FDD646E893469BA174BF370DFFB76E83BC11C13D0169F14F7142EFF83991C029falsetrue 11241100x800000000000000011627823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:45.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:45.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D95331CD2512B4962F227324F6B493,SHA256=CA7A148B0BB6D994FA966273712D10BF7AF82C7D0F1878DFC41BECD988CE6D59falsetrue 11241100x800000000000000011627821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:45.536{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:45.536{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=675CE99522FF6D1A626A7EEB43BFDB53,SHA256=C91872751508CF8F12D2B0AB16701456F52C6BFE0465B171F95F4FD490366AFCfalsetrue 354300x800000000000000011627819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:16.677{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49570-false10.0.1.12-8089- 354300x800000000000000011627818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:16.526{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49569-false10.0.1.12-8000- 23542300x80000000000000003349843Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:45.037{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32521DCBD8DD8B0DCF1E4F96F4133C23,SHA256=38259705612D807828682C3CCD79C23F759273EBC85476AE4F183D25C7CFA222,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:46.906{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:46.906{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8EB6CE4C5D285BAF6F8000997484376,SHA256=3A8E44B943D55DA23A558EAB82A96352DAB2D010219A7A8216E2FC758C6CF118falsetrue 11241100x800000000000000011627830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:46.622{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:46.622{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B16D628D9C2B2415EC9EBA71DC5B6A4,SHA256=0F90EA41976AFB873C397884ACB843ACF0E8F12DD6453FF14BDB480C2FEADDB0falsetrue 11241100x800000000000000011627828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:46.252{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:46.252{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4FE3DC395A499444D1D7621B3C4042CB,SHA256=002FBD0854972DAEDE9BB05D5AAE3F7C6B0EC4AF64731D463F842026A0AC71D9falsetrue 23542300x80000000000000003349844Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:46.045{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68D2C394E3F0885A0FA7E4D92525450,SHA256=519762AEC50EFA13D5CE5E09AE3057760DC337F8393390E7BE3E558CF76CC9AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:47.624{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:47.624{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1639B5592AB2A41FEB0CBA9F3399C17B,SHA256=9F7108B35AA4797D7514671E4AFCF0C6C73812DDE502964D5B0375E75DAAD340falsetrue 354300x80000000000000003349848Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:35.275{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50108-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349847Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:47.195{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2AE21926BD5DA26312CE213E45D9F38,SHA256=EC4A2DDF17CBCC74D1BCFDDCA94DABF67FD9F6051CD12996DC5DFB061F212059,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349846Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:47.195{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C74D0D8D503EBC6B4E2450B25E7099FB,SHA256=20C0685E519892B766E783E130ECB358596D0C5D3A592BE464C726E7C4843CFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349845Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:47.064{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A39250AB59FDEB1CA9433DB6DEF061,SHA256=1E79D17304C554D340E099988E33AF206749E88BF645E975934DF20DC4A879E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:48.657{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:48.657{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4294D07DA6DEB87CA6E217ECD3EE5966,SHA256=348477F76F416980F9DFF92585945E28824705773B48F06BAA5EBE8E68B73E28falsetrue 23542300x80000000000000003349849Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:48.066{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F4E06D6091652B2D4ECA94888AA884,SHA256=E53C3169B33512C75E9D93E82836AB710ECEAA3500D0DF2B0C70D4F09EA2A202,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:48.557{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:48.557{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14B9381AC89BEA7ED3FC0DB83EDAB345,SHA256=67E53D4D07A12CCD8B82C76564BA2D7058002FCE5F6572265F54F62D207302D1falsetrue 354300x800000000000000011627835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:19.231{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-291.attackrange.local123ntpfalse169.254.169.123-123ntp 11241100x800000000000000011627841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:49.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:49.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E9416EA370FFA3BE11DC9ACD21D613,SHA256=67D5ABC0DE376DC152FFCF60305296F1DB4F82EB9276E04CB2372D77DDF6233Bfalsetrue 23542300x80000000000000003349851Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:49.787{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-15484MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349850Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:49.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA39185D86EB1FAF61EC526DF99F67F,SHA256=0AE8D72F4291FA34182B2913D79E4B83918AC5F35BE0894C4C29DEC791267696,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:50.831{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:50.831{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AB90E7BC32AE482FD58257C0628F9157,SHA256=74D8B501EF866295AA0DB143D9A0FDD8FEE474A8CB891D1BB6229906EF1EDEBCfalsetrue 11241100x800000000000000011627847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:50.662{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:50.662{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A462764368BF6F1DC1E0E248BF4DF6C,SHA256=9078379A68E5E11DCFDFA7BAEB267DBD8505542FBEB7DEE76243AB76F9EE2093falsetrue 23542300x80000000000000003349854Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:50.789{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-15485MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349853Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:50.604{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=94ED4C7D8952B8B2D562411EA654B994,SHA256=EA54FB9D9F7048ACB19ED1D9BDE28E44BEC80C5CF94272ACB42DB65D852E3DC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349852Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:50.087{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C6B0F0914E3AF992985FDF62993276,SHA256=68D480B9C0BAD597AAB21660CC3960895F160B2359E09F88BAE9340885E80ACC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:50.430{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:50.430{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=18A0021334FA775B6560F49700CEAB43,SHA256=2BCFE6BEA44E5AB4143B95919ECA9001C6C40BDAB8CA433C147FA05851D74D0Afalsetrue 11241100x800000000000000011627843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:50.193{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:50.193{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E5B88D9F5A53D5A066B5FF5C1BE8989,SHA256=2A371885FE400C3F227425A501DB1D793058126A0E9776C2A3E521A56219E963falsetrue 11241100x800000000000000011627854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:51.664{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:51.664{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894D65C07411D8FB8B09B212A7AE5421,SHA256=2D8B7646247A1CC23AC8D97A5BAFE9034BC05703BEE14CD99D36959369AB59D0falsetrue 23542300x80000000000000003349855Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:51.090{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34ED3DAE0B283A522BC8CDC3B1E45241,SHA256=B0690ADDDE35B97F7936BE1E133AA15BD6201702304AFE497CCD1A557D99359C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:51.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:51.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EDF5466777F99C2F13213D35E924E0C3,SHA256=2EBCFED08529D4532979C45E3F2463B4E582106D294B9BAB99198A5F8DCFAD3Dfalsetrue 354300x800000000000000011627850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:22.489{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49571-false10.0.1.12-8000- 11241100x800000000000000011627856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:52.667{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:52.667{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26C1717EF47AADC1B14FCCB54CD1354,SHA256=EC2C797311061ED9F90EEF60EF6FE5DD5F9971F60863ED943011745288144F57falsetrue 354300x80000000000000003349859Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:40.288{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50109-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349858Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:52.208{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FADA9D61661C56534C8B20F09FC9F5C,SHA256=EAED645FB7150D15F41230B0537AC8F282F9C8AD54CFF8DEFE89F2384B6A0596,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349857Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:52.208{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2AE21926BD5DA26312CE213E45D9F38,SHA256=EC4A2DDF17CBCC74D1BCFDDCA94DABF67FD9F6051CD12996DC5DFB061F212059,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349856Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:52.092{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C21A6642F11F41DE7B06F75E3E5D5C,SHA256=5CFEDB30493685548A910B91309768E2143AD2A0D2F24D4791B0FBFEFA082F23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:53.670{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:53.670{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2E7EA82163F512396E045785815575,SHA256=4C74E90BEB94ACCD99F409F8EF1E10A54EED6F5907BCFD9488549704D1F2065Afalsetrue 23542300x80000000000000003349860Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:53.111{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DDDFEFB711799CE88442513B11F8C5,SHA256=5444700E99EF8E3F6A125465F65FEC2B6DDEDCDE8D6101954FB6DC63687775A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:54.673{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:54.673{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C5BB99847A4DA68BB37BDD05772033,SHA256=438DF03F93503A044D1DB7DB6E225284A33278338A1058A110492B73319964AEfalsetrue 23542300x80000000000000003349861Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:54.145{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A7AEC6F0F5061071CB7BD4196EAA14,SHA256=DF6A46708E7A22DF02F58504F6C03A2CDB855C249AE191E4FCE7ACF7787CADCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:55.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:55.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=158335EFAFBC66B4C55653851A92E0CD,SHA256=8C4CD966CF69C94D8D02B27FA40C7B9F08187CEDF1E6DF3196190911B5386C78falsetrue 11241100x800000000000000011627866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:55.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:55.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8071819D7CA40EEE8A419C2BF4BA31DD,SHA256=75D2AD789D65A326A7B3DDE92C270FD2006FC180478C11F65420525FD6FD6E5Ffalsetrue 23542300x80000000000000003349862Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:55.147{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A7D555684CAEB4C7053F548DD7CB13,SHA256=0239FCCD27EF579C54CD456276F73774CA2937E5455400E5C0BE387548BAFA7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:55.660{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:55.660{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=563DA101C1C70BA2BE535BA877E6B267,SHA256=4081FA2B6173FB6D1F5193554A58C05DCD8E1BD5525CF566F53E3771048FB242falsetrue 12241200x800000000000000011627862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:16:55.074{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000011627861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:16:55.074{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x800000000000000011627881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:56.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:56.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A5F5859C2E019404D590B139E1500C,SHA256=B6435D59E0D443A554713796C0FD6ED63AA08D487FC71DE1CD45CD8A20B4CC13falsetrue 23542300x80000000000000003349863Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:56.150{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E3D59648F0516AA5F31E3D1E06634C,SHA256=5A15C9E01B933BB51C3DF06C091342729EF61E334A611C90FEC6D5E116C425C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:56.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:56.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8DE2F37B826280D3486575776AD1A335,SHA256=ED434C453AEF37AE0CE6461E4747356386197139BF071BF66A46FAD639BD0F0Dfalsetrue 354300x800000000000000011627877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:28.404{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49573-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x800000000000000011627876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:28.404{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49573-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x800000000000000011627875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:28.353{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49572-false10.0.1.12-8000- 11241100x800000000000000011627874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:56.276{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x800000000000000011627873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:56.276{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=306E625A19292FD58C9122B9873A26E0,SHA256=ABFCBC52E317E9DA5862B7542C9754B37AAFA224B7C08CD084EA3ABA3BF0E0C8falsetrue 11241100x800000000000000011627872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:56.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:56.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=772E2B66C241060B501B2288C3324AE6,SHA256=C460EADDB110B5EB5537660034426890F0DF2CD1A8C80929FBBDD0BF66DF6E8Cfalsetrue 11241100x800000000000000011627870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:56.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:56.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C1DB45B33DC35B8BC7A78E3A790B9D3,SHA256=FF23F67FF701F6463C19B93B8BBD52C0BFA648BFA1AB5EED323BFB8E07CCBF64falsetrue 11241100x800000000000000011627883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:57.710{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:57.710{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386B890C0B67B227151C286E2C27AF21,SHA256=FF3A542C67D9588D60CF3F0F50A692CAB7F2E463CEB1756B53A245C5DDDB3349falsetrue 23542300x80000000000000003349864Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:57.153{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDDB68821190C87DB995E6AB278CBAF,SHA256=F05AD09223A6B518D5867EF417683F98E1BE04C5673CBA4060F36E1DDF1F9136,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:58.713{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:58.713{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF70381C2FEF1AA39C25A1101F1E52B1,SHA256=B53B899D3DA1D57F581F58F0830AA677344A5B63D4E0DB5A9C104CCCC4DFA58Ffalsetrue 354300x80000000000000003349868Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:46.272{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50110-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349867Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:58.208{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=350AD7420D254FC45AB04C78222C7985,SHA256=D226C0E2A983258D44D0C808E9927F4D4F83458C860F45DEDF0EC176ABC10403,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349866Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:58.208{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FADA9D61661C56534C8B20F09FC9F5C,SHA256=EAED645FB7150D15F41230B0537AC8F282F9C8AD54CFF8DEFE89F2384B6A0596,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349865Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:58.155{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303C87D78949909AEC1713A10C7C4774,SHA256=D8B77000C279C2D696A402FA108FF2762EF151A3DEB7BC119FBA1FBFAEFBE1A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:59.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:59.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E7026E846669284531C20C25CE3345,SHA256=41C7C8DBDDF7071E8CBB420C4E973D29356C07BC9A91F1FBED15FF8EDCA12E84falsetrue 23542300x80000000000000003349869Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:59.158{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B606F955E42711FBDA515A362FE08C,SHA256=A53B22EFC33106683F8983559CFAE209D47B49A33754A8B7510BAFDD1F27C182,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:00.956{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:00.956{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=25497810C3E83D215A4EE72AE7581D2C,SHA256=51F1FAE76E6FCD5E31F1E25DB27218CD70D9C0081EB46AA2BD9368406957E4A8falsetrue 11241100x800000000000000011627891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:00.718{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:00.718{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDA0E31D87208F90F280E27D429A2B7,SHA256=F469F0C0D2DC815D2A142B7AC844841EC7A3F45DAA6D6904FD23133773788A51falsetrue 23542300x80000000000000003349870Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:00.178{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799E980A7E27189DAF14BB543F6174F7,SHA256=A9DD31C3469C6C7EBD7371A467E6B7BBE055A9D2504DAA173214674652C28638,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:00.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:00.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4EE93E65EA8C3014A82DF256EA267C87,SHA256=870EACFB445553646F33678219052C5C44DF7F82D14470E9FE6E5A0EF69766D0falsetrue 11241100x800000000000000011627902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:01.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:01.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D40A393893AA5894D4E504B9759DAB,SHA256=F9C7EEA70840B87CDF2B0C8F352C844A9A480CF9E52FB2875233A289D4F4FA45falsetrue 23542300x80000000000000003349871Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:01.183{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B381D798E514D41530FF8017579B441D,SHA256=AA4F08F4B9A480E57A1919DA69F6F6B10EE7C0368418A1036A7EA4CDC8EF8B16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011627900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:33.362{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49574-false10.0.1.12-8000- 11241100x800000000000000011627899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:01.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:01.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9352CDD0BB0C3EC4A46074C6CA7D7609,SHA256=D32E6918FA48B959C78FE64C73112C34E8DC95AF840E005CEDD9E1A283563A20falsetrue 11241100x800000000000000011627897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:01.118{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:01.118{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6F107D52E521225212D0D0535841BC8,SHA256=F0E7728D9156DA0775A0EEFDB57250CBC3DD698F9975FB854C9FDD9F9127F905falsetrue 11241100x800000000000000011627895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:01.118{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:01.118{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=772E2B66C241060B501B2288C3324AE6,SHA256=C460EADDB110B5EB5537660034426890F0DF2CD1A8C80929FBBDD0BF66DF6E8Cfalsetrue 11241100x800000000000000011627904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:02.739{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:02.739{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB94202B975C5C5EAFDCAB29934AF7CA,SHA256=B5B6227C9E578A78A58CBC226AC20DBCE3A98BAE2E5D1494BA93981A6AFFCDA6falsetrue 10341000x80000000000000003349886Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.504{AEE49BD1-CAFE-6140-72B8-01000000F101}19765676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349885Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.385{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CAFE-6140-72B8-01000000F101}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349884Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.384{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349883Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.384{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349882Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.383{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349881Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.383{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349880Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.383{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349879Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.383{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349878Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.383{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349877Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.383{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349876Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.383{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349875Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.383{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-CAFE-6140-72B8-01000000F101}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349874Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.382{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CAFE-6140-72B8-01000000F101}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349873Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.367{AEE49BD1-CAFE-6140-72B8-01000000F101}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349872Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.189{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065C95B82A011D1A86DB87E9867837C0,SHA256=D91E4FACD2FD4BFFE5D3EEFC75974A1FD5D08D06F08DBA917D30D8F5B5A32A95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:03.744{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:03.743{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C31D81AE8AB35B98021ED4E6A1D729,SHA256=5F00B94884940B1466A3FAD9643BB6EDEBEF1A7DA0883064EAEA2B3013A4503Afalsetrue 354300x80000000000000003349916Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:51.318{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50111-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000003349915Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.754{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CAFF-6140-74B8-01000000F101}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349914Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.754{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349913Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.754{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349912Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.754{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349911Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.754{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349910Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.754{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349909Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.754{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349908Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.754{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349907Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.754{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349906Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.754{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349905Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.754{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-CAFF-6140-74B8-01000000F101}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349904Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.754{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CAFF-6140-74B8-01000000F101}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349903Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.739{AEE49BD1-CAFF-6140-74B8-01000000F101}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349902Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.522{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4B335704C5C72DFD948D65270365844,SHA256=4992D4A3CF9383C67F57FD251057904F4418BD1D6DE89358E4014BEFF63391C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349901Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.522{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C22BE2450C4C232C011FA14B449A29B,SHA256=1884F4274575AF305F1D92AAE516CDA535648DB947863B861A79C31C3A74FF97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349900Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.522{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=350AD7420D254FC45AB04C78222C7985,SHA256=D226C0E2A983258D44D0C808E9927F4D4F83458C860F45DEDF0EC176ABC10403,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:03.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:03.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6F107D52E521225212D0D0535841BC8,SHA256=F0E7728D9156DA0775A0EEFDB57250CBC3DD698F9975FB854C9FDD9F9127F905falsetrue 10341000x80000000000000003349899Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.068{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CAFF-6140-73B8-01000000F101}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349898Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.068{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349897Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.068{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349896Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.068{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349895Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.068{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349894Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.068{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349893Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.068{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349892Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.068{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349891Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.068{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349890Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.068{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349889Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.068{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-CAFF-6140-73B8-01000000F101}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349888Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.068{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CAFF-6140-73B8-01000000F101}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349887Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:03.053{AEE49BD1-CAFF-6140-73B8-01000000F101}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349918Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:04.740{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4B335704C5C72DFD948D65270365844,SHA256=4992D4A3CF9383C67F57FD251057904F4418BD1D6DE89358E4014BEFF63391C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349917Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:04.540{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A344B8B2A50DFC44DFF3B325CF5F0BA1,SHA256=0CAC23EA810200871D93484B0F67276946401C0B4084D2EE7ABB89105A7C85C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:04.765{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:04.765{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A8380787C17FD2D30261976C45CA95,SHA256=1475245CF4EA90E06F029E762A97044D48048DEB320F46A68A581BDFD8FBEA40falsetrue 23542300x80000000000000003349919Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:05.591{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE854062A0AFDB844B2695F1A959366B,SHA256=53F28482CDA161C7671BB210FB576ED3A582C7A01CF06FA3A7F3B2122BF6E5B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:05.767{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:05.767{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A786A34EADECE0221DD1A3B1415E1003,SHA256=21ADB380D41F130C73AFC770B7F4E9A13B37D4AD70BF456ECD4D6216A996F035falsetrue 11241100x800000000000000011627912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:05.714{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:05.714{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A9BA98AD457A0DD29F23C3280F1E9333,SHA256=CBB94597E6FF843B89BE766EC54DF6A9C144E31BB09868EB43A823867CE26E90falsetrue 11241100x800000000000000011627936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:06.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:06.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E432399BA55EFBFAFCE82535B4D99CE3,SHA256=FA05F801BF98DAB7ED99A012012F137FFD071C0CC0C78EDFFF1C6B0809F7204Efalsetrue 23542300x80000000000000003349920Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:06.594{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABC44A3B421A6EED9548467EA634DCE,SHA256=9D746FAF2FA3E8C4FD4D2C416A34E39724B2AA1476546F6B389B4F0E11C673F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:06.451{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:06.451{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D5B6DFAFA1DAE4298A60544E19117745,SHA256=FA6D0C03E0389470E4ED4BDC09B972C85D14A12B33D4963764D48F0495584138falsetrue 11241100x800000000000000011627932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:06.167{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:06.167{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=370DEC699D9CEFF99D10CFDAB69C6B08,SHA256=8C544932F8BBCE2F99CE65B522952C61E91089A74568AFF222F63276C8EE3DD9falsetrue 13241300x800000000000000011627930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:06.167{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x800000000000000011627929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:06.167{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x800000000000000011627928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:06.167{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x800000000000000011627927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:06.167{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x800000000000000011627926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:06.167{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x800000000000000011627925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:06.167{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x800000000000000011627924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:06.167{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x800000000000000011627923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:06.167{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x800000000000000011627922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:06.167{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x800000000000000011627921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:06.167{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x800000000000000011627920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:06.167{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x800000000000000011627919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-14 16:17:06.167{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x800000000000000011627918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-14 16:17:06.167{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x800000000000000011627917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:06.167{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x800000000000000011627916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:06.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:06.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5BCBE93B3E5132083D3914C8DD22793F,SHA256=0848981F8BA41D62442B3BCE94D2AE3282544DA638CF75F317C333A9174CCCA8falsetrue 11241100x800000000000000011627939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:07.771{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:07.771{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120E84AD74756CC8AC336ADA1E661CB4,SHA256=E97CB685BCCA423FDA68741978558F416BBAF82BF630D7C865AD5FE2DA6A1E86falsetrue 23542300x80000000000000003349921Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:07.602{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26268CA83F17FC2B9544239053E0F0F9,SHA256=4C072D3A49200D673CBC3C846BC383D8EB2C0237B94D63BE618CBD387B41CCCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011627937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:38.476{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49575-false10.0.1.12-8000- 11241100x800000000000000011627943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:08.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:08.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2D1DA6C7649BC0568891CA4E86B6F4,SHA256=C0E6315997153CDDF80B5F62086501BA08F536BE2DCF23BDD8F74F61DA6A6A4Bfalsetrue 23542300x80000000000000003349923Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:08.620{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0AFD3397F776FB390CED212A8E1BE8C,SHA256=F08C6726E2EFA4671A10F8A6581A9F67D0956D4A5B4B75ED417A1FD05A2A1A47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:08.574{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:08.574{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD3D8D28F474D6BC5DD68CEBD3E50300,SHA256=58AB2B8452A1A2F73A06A35563C15C82D35213FB552501A21F5BD10B88821891falsetrue 23542300x80000000000000003349922Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:08.401{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:09.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:09.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D716E343CF1D54E6149DE982C05A6100,SHA256=056BEE98FF52FEBB0FA1242A8C7E8B67C0ED2E3DAFFC6E40B788FCE219AE2409falsetrue 23542300x80000000000000003349925Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:09.623{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95C20A393093CBA8848A8A80F9B1AF7,SHA256=A99F8F93FF6532AAEA2FB1C39D861321F6EFD9C93747BF9460497B4F6375FA71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349924Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:09.103{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=804375438A37434C2A1BC92E20FC3569,SHA256=A486B28603379146B2BC4670A23429D6BEC4116DDB47CF71FCA4D329A9A8986B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349927Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:10.626{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A49136DD17569CF32AC44DB2A0124B,SHA256=53EB9A86D631F05D272B63AE75B76A3B0F86B3C2FC471C555DCC219231C31E6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:10.811{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:10.811{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA337C4D526C34CC587176BA48D688D6,SHA256=6500302ED8C8155328C860D709BE16C51CAF3A55BA92FF624DEE3EE7B945890Ffalsetrue 11241100x800000000000000011627947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:10.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:10.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=629F785CC55AF9C9B59E35C70975A351,SHA256=6ADAFD1DF5DE8C78AD48991E6A286BDB37F0FBDEC175AA2F49F55EB6627F07C5falsetrue 354300x80000000000000003349926Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:57.178{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50112-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000011627955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:11.813{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:11.813{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9D6F10E9D8D58649C44666E9D42953,SHA256=0532D400CB2D80604EEF5EE0D23C938E9E8169C4D1A1A362502A3ACEE1E1666Ffalsetrue 23542300x80000000000000003349929Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:11.645{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778C705D1ECE11945C5B2B4F86FAF4FA,SHA256=164D008B9469BEEBFA523264404DFB36F49272778372A3000A93C178CFD9ABE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000003349928Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:16:57.464{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50113-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x800000000000000011627953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:11.497{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:11.497{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=60EE744990862230CA85C8F8409CD097,SHA256=41285564CAFF6ADEF676E6C9054AAEC73EE93BAB40E1320663F014BFDB3D4B0Ffalsetrue 11241100x800000000000000011627951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:11.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:11.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=610E929C2F8B3231404ADCBAC63BB0A0,SHA256=A686E9C2E8FB3A73C96CD10013AC1A363CE77D9F1B6C01EE7D0A9020B6609BFDfalsetrue 23542300x80000000000000003349930Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:12.648{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438C32AF1220BE20B083DB902E01889A,SHA256=AD4AE47171E0AE4C88E88A212DE99AE491FD2F58F918D461137A550ACB8739CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:12.832{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:12.832{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9002536A9A0099AB43A55E5657240D7,SHA256=370460774CC3F20E5DB92A4AC179682D643233754B61DA18D76E151D7322DC97falsetrue 11241100x800000000000000011627957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:12.063{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:12.063{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50EFD9AE91AD806620DC76C3A6EE021C,SHA256=AC5403FE729F4F448CB8DC55F8E0231E508E66735BD71C4FD9913F0CCCBAECE9falsetrue 11241100x800000000000000011627962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:13.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:13.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7316B1D9FE688F0912E4832D782D745C,SHA256=DBC07DE00F141BA596693EC04B9AFC9D130D2558FDD567B9160E774F8F3108B0falsetrue 23542300x80000000000000003349931Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:13.715{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D17004590C9CEDCE38D33107283C89,SHA256=30C98C42B88BCFC005C8A61DBDF2CA178284607CA6A35C1A50B79DE385D2FD56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011627960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:44.387{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49576-false10.0.1.12-8000- 11241100x800000000000000011627964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:14.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:14.872{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7B48DFA2F4FF57BB4ADB27FCB69F48,SHA256=1CFCE82AC72029722E5731F7284351E7854F89F4FBD611B01F9BB2731595FDC0falsetrue 23542300x80000000000000003349934Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:14.719{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8ED4146DCC43F27C938E0F6DFF8FFBA,SHA256=81C2BBFC42BDD8967D27C3B62B1B35A4427376575A9CBBF1CEDA32C1EB4231DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349933Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:14.184{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D140AB387FCE9581E828CBC81444D3E0,SHA256=0AFB7DA4ACFD4BD2ECDE83FC2712F35CBA224A3956DC0963749FB65C73F8C94A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349932Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:14.184{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B6133176A06FBC5B9231966D5DD3FDA,SHA256=4FC8F37CAE2F423E6C75127C08CCA8923F6D466F9EE8289E08D7C7BA064BA697,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349936Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:15.721{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE93FC82801CDDB42286ABB384223D75,SHA256=D3B38180AF3C1BD7E1E48C851AA25A5137FFC3EE88367921B6E3A449FD91911D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000003349935Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:02.247{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50114-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000011627972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.578{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BE9FFDFE9C2D05083D31DBB78E48E87C,SHA256=A848352215D971D4A160A512887949D9119381E898B92B4722B97C89C0DFC2B9falsetrue 11241100x800000000000000011627970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.210{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.210{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2C1EF6E958907CBB8E7DBB24EF5ADE45,SHA256=7D7E85D9BE8D29FA2AE98B975556D6CF25EECE925636404D844737E65D1F1B66falsetrue 11241100x800000000000000011627968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.094{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.094{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E9938C8CA97050FB30AAC4BE12C2FB8,SHA256=B3D858BFB9A6B30D3138F52070C2ABC3A4C2A1946547A03A7F615D470C509291falsetrue 11241100x800000000000000011627966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.094{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.094{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49928F82426418619A2A4A1554B5B4C,SHA256=1CE83851A35AAC6C822C0EA21C576FE51B9916F75F7D722A694252CB54D2D606falsetrue 23542300x80000000000000003349937Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:16.725{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6662BCEB425ED66D973EF5C1397EBA12,SHA256=6F61F30D946F158259E072AC950AE4015050B8E3777ADA96B957198D8CED257B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000011627990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:17.429{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000011627989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:17.429{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x38d1bccd) 12241200x800000000000000011627988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:17.429{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x800000000000000011627987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:17.429{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a97b-0x9a73aa1e) 13241300x800000000000000011627986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:17.429{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a983-0xfc38121e) 13241300x800000000000000011627985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:17.429{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a98c-0x5dfc7a1e) 13241300x800000000000000011627984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:17.429{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000011627983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:17.429{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x38d1bccd) 12241200x800000000000000011627982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:17.429{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x800000000000000011627981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:17.429{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a97b-0x9a73aa1e) 13241300x800000000000000011627980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:17.429{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a983-0xfc38121e) 13241300x800000000000000011627979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:17.429{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a98c-0x5dfc7a1e) 11241100x800000000000000011627978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:17.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:17.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBE43372A0AFFA9D616FFD6B4CAF5E40,SHA256=AA52FE2E3A1C704A2BEE7E6C7ECB6A7AF02224EC074BBE489428E1D53CA84848falsetrue 11241100x800000000000000011627976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:17.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011627975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:17.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B508E4EB05EAEC2A3723092F9095B41,SHA256=C4CFC43FE41D0C42F768FCCE00ADDC02377FC687E1A5B0A95C064F807086BE26falsetrue 11241100x800000000000000011627974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:17.097{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:17.097{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80DF1C00198626B88F726EE8C5C8CAF7,SHA256=C608EA6E9887E2B640570E79F11D1E7C90B324D033BBA17F70E9F0B3C0F69374falsetrue 23542300x80000000000000003349938Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:17.727{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F47271F5AAC6641DF295B22FCD6DA22,SHA256=420203C741D2A062AA2CDFD00CC1507907C26DCC5EFABCB10FFF1C7E422D8ACB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000003349953Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.812{AEE49BD1-CB0E-6140-75B8-01000000F101}54123128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000003349952Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.734{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8B71DC551C98AE1357EFD1939CF156,SHA256=8ECF470D3F558EC9E81A6AD261B540480717AB2352ADF74CEFEAC4B99ACB019F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011627993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:49.557{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49577-false10.0.1.12-8000- 11241100x800000000000000011627992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:18.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:18.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A19F90DD6FBAA1136816D4DB8D46CA,SHA256=B3D2026DB15B7925C29D18F960896DF5E769D46A845628A15A6C3CF82E99BAF7falsetrue 10341000x80000000000000003349951Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.697{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CB0E-6140-75B8-01000000F101}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349950Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.697{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349949Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.697{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349948Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.697{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349947Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.697{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349946Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.697{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349945Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.697{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349944Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.697{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349943Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.697{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349942Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.697{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349941Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.697{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-CB0E-6140-75B8-01000000F101}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349940Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.697{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CB0E-6140-75B8-01000000F101}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349939Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:18.682{AEE49BD1-CB0E-6140-75B8-01000000F101}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349970Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.751{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615B2427E74F755E36BC5F97254FCCA9,SHA256=FB9F9334CAE0695C08CF481C06C95A57456F55F837AD723535565AFA70329C04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349969Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.751{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3F896BE9CE8DB02351875B0AF901AA2,SHA256=286C12C0EBFE0B71CC50B73B540B29AF0A2FA8412CC1FC455C690C3F34F4F740,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349968Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.751{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D140AB387FCE9581E828CBC81444D3E0,SHA256=0AFB7DA4ACFD4BD2ECDE83FC2712F35CBA224A3956DC0963749FB65C73F8C94A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:19.103{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:19.103{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4F6F6A2BB7C20798CE38A26CEE1D2B,SHA256=0B5DA79D20B199E181980AB5FDC4FAB1002EB28CEFC633C474B894633095B670falsetrue 10341000x80000000000000003349967Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.498{AEE49BD1-CB0F-6140-76B8-01000000F101}49565400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349966Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.382{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CB0F-6140-76B8-01000000F101}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349965Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.382{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349964Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.382{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349963Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.382{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349962Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.382{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349961Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.382{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349960Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.382{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349959Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.382{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349958Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.382{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349957Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.382{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349956Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.382{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-CB0F-6140-76B8-01000000F101}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349955Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.382{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CB0F-6140-76B8-01000000F101}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349954Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.367{AEE49BD1-CB0F-6140-76B8-01000000F101}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349987Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.769{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C99AB13632ACD899BD26A6AFC6539C0,SHA256=61BD03485F886FCB5148ACF60F1946FE95467D603880DE5239E84F2D8A0C6061,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011627999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:20.669{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011627998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:20.669{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D916127CD84552D5F79CF05ADF84A568,SHA256=7F5E0F9725582FCEC7723F72BD2F20845C940FC4AF19BE537E98C623042B3ED5falsetrue 11241100x800000000000000011627997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:20.136{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011627996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:20.136{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E18D332CE451CABAFAA440DAA1FAE0,SHA256=F01AB533D7FD50BA913C552716F5E7D6D55F58004CE00A2B2177746B53E3F882falsetrue 354300x80000000000000003349986Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:08.132{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50115-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003349985Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.230{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=00B6CD6E6D9732337D154F61AFC948C2,SHA256=C2E66F8841A9EF1B03C53E8AEE14EECAB5571B5E5F759ECA72C19F1E29B2162D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000003349984Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.183{AEE49BD1-CB10-6140-77B8-01000000F101}18445764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349983Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.067{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CB10-6140-77B8-01000000F101}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349982Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.067{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349981Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.067{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349980Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.067{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349979Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.067{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349978Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.067{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349977Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.067{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349976Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.067{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349975Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.067{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349974Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.067{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003349973Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.067{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-CB10-6140-77B8-01000000F101}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003349972Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.067{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CB10-6140-77B8-01000000F101}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003349971Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:20.052{AEE49BD1-CB10-6140-77B8-01000000F101}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349989Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:21.772{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80FD530B1DDE3C881483346C4DECFF5,SHA256=C03A934F26601EB1C59748BDBAAD32610CF4599A9D76A213496684840C8C9524,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:21.591{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:21.591{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EEA4902098414E69DFC71C992655923A,SHA256=AF3E9A3080926861F99BC824C1E3C33573159DC533A5BD628AF32571FA0E7288falsetrue 11241100x800000000000000011628003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:21.292{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:21.292{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=55AD7308F0833C4BD7D3016A01649508,SHA256=F30620390D27EB86397717BF5602FD8E06CCBA2F869C4A1BA8DDE2036190E174falsetrue 11241100x800000000000000011628001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:21.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:21.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625926B6E4CA106DB7ACED1D6F851398,SHA256=D358CCB57DEFC56657ECEC0061B0AE3102EAA3548639C97C1106CC8412A833E9falsetrue 23542300x80000000000000003349988Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:21.055{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3F896BE9CE8DB02351875B0AF901AA2,SHA256=286C12C0EBFE0B71CC50B73B540B29AF0A2FA8412CC1FC455C690C3F34F4F740,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003349990Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:22.776{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D138997BABBD9199BB23B15FC4A648,SHA256=1116146542CA11D719B1C59AB8B02A2AA722AD8C4E063CF585F29870B0EA9359,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000011628070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.959{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-15492MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x800000000000000011628069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.958{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-154922021-09-14 16:17:22.958 11241100x800000000000000011628068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.957{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-154932021-09-14 16:17:22.957 534500x800000000000000011628067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.710{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011628066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.710{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000011628065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.710{4DF467A6-CB12-6140-B0BF-01000000F001}7188524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011628064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.710{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011628063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.710{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011628062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011628061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011628060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011628059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011628058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011628057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011628056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011628055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011628054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011628053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011628052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011628051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011628050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011628049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011628048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011628047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011628046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011628045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011628044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011628043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011628042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011628041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.594{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011628040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.593{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011628039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.593{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011628038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.593{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011628037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.593{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011628036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.593{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011628035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.593{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011628034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.593{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011628033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.593{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011628032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.592{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011628031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.592{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011628030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.592{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011628029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.592{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011628028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.592{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011628027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.592{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011628026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.592{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011628025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.591{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011628024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.590{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011628023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.590{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011628022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.590{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011628021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.589{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000011628020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.589{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011628019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.588{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011628018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.573{4DF467A6-CB12-6140-B0BF-01000000F001}7188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011628017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:22.573{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:22.573{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:22.573{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:22.573{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:22.573{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:22.573{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011628011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.292{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.292{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAED7962DD4AB57133AD4F34769463D,SHA256=FCA3403847961992E63DEA137B02409D4EEFE0FDAA786562DE72989FA8566F9Cfalsetrue 11241100x800000000000000011628009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0427C2A8E2F903E42528ED2FFB066374,SHA256=73F089D4A7616863A4465374DA6392D4745EE715F402FB695738BB471A6B3C4Cfalsetrue 11241100x800000000000000011628007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:22.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBE43372A0AFFA9D616FFD6B4CAF5E40,SHA256=AA52FE2E3A1C704A2BEE7E6C7ECB6A7AF02224EC074BBE489428E1D53CA84848falsetrue 23542300x80000000000000003349991Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:23.779{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93675E069B787F5FD30649D1023318F0,SHA256=0BD7D98E6BDFA27A9056AEB8AFE6FF88CA6E135B6FF2FD8402CEA06E981B0BAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000011628189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.973{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011628188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.973{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011628187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.973{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011628186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:23.973{4DF467A6-CB13-6140-B2BF-01000000F001}7920\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011628185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.973{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011628184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:23.973{4DF467A6-CB13-6140-B2BF-01000000F001}7920\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011628183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.973{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011628182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.972{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011628181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.972{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011628180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.972{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011628179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.966{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011628178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.966{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011628177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.966{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011628176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.965{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011628175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.965{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011628174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.965{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011628173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.965{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011628172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.965{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011628171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.964{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011628170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.964{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011628169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.964{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011628168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.964{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011628167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.964{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011628166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.964{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011628165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.964{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011628164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.964{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011628163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.964{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011628162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.963{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011628161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.963{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011628160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.963{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011628159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.963{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011628158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.963{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011628157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.963{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011628156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.963{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011628155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.963{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011628154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.963{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011628153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.962{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011628152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.962{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011628151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.961{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011628150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.961{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011628149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.960{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011628148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.960{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 23542300x800000000000000011628147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.960{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-15493MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 10341000x800000000000000011628146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.959{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011628145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.959{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011628144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.944{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011628143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:23.943{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:23.943{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:23.943{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:23.943{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:23.943{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:23.943{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011628137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.573{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.573{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0427C2A8E2F903E42528ED2FFB066374,SHA256=73F089D4A7616863A4465374DA6392D4745EE715F402FB695738BB471A6B3C4Cfalsetrue 11241100x800000000000000011628135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE050837C6554635D949DED9792117D,SHA256=94A23DED1ED3AD6EF1ED453688D7252AE14BF33A5AD5E338F5008BA4CD825764falsetrue 11241100x800000000000000011628133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.411{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.411{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44626A5E0D83E12D4600D1DDBDB73CC3,SHA256=9C8E70F4A5A7637FAA562D385E44D986E1746234AA70D9E2FA27AC6DD66D4694falsetrue 534500x800000000000000011628131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.395{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000011628130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.395{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011628129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.395{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011628128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.395{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011628127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.292{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011628126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.291{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011628125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.291{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011628124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:23.290{4DF467A6-CB13-6140-B1BF-01000000F001}1596\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000011628123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.290{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011628122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:23.289{4DF467A6-CB13-6140-B1BF-01000000F001}1596\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000011628121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011628120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011628119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011628118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011628117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000011628116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011628115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011628114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011628113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011628112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011628111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011628110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011628109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011628108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011628107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011628106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011628105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011628104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011628103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011628102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011628101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011628100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011628099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011628098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011628097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011628096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011628095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011628094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000011628093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000011628092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011628091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000011628090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000011628089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000011628088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011628087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011628086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000011628085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011628084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011628083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011628082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011628081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x800000000000000011628080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011628079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.273{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011628078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.259{4DF467A6-CB13-6140-B1BF-01000000F001}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011628077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:23.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:23.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:23.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:23.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:23.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:23.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x800000000000000011628071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:16:54.568{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49578-false10.0.1.12-8000- 23542300x80000000000000003349992Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:24.782{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D17659C5468917C7F430A7D9EA817B7,SHA256=FFFD851B7A472BCDC87704CDF73C063F5D22095C290A5FAB85D026500EEF6996,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F057AAFD415FB2F331EF6870DB3D2259,SHA256=B2C49A88FAE4579BD9D25FAD8CACAEDDB725DFE3A3C4BD637364FBDE6895709Afalsetrue 534500x800000000000000011628252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.776{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x800000000000000011628251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.776{4DF467A6-CB14-6140-B3BF-01000000F001}74761808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011628250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.776{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011628249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.776{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000011628248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8194F95D74D148975F7927D93265AC7,SHA256=C9D706E34DCBFC001F487AB0CE1BF523D3C65F069FA1B26938F3742CFBA24C94falsetrue 734700x800000000000000011628246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.660{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011628245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.660{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011628244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.660{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011628243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:24.660{4DF467A6-CB14-6140-B3BF-01000000F001}7476\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000011628242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.660{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011628241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:24.660{4DF467A6-CB14-6140-B3BF-01000000F001}7476\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000011628240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011628239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011628238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011628237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011628236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011628235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011628234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011628233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011628232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011628231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011628230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011628229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011628228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011628227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011628226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011628225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011628224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011628223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011628222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011628221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000011628220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011628219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011628218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011628217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011628216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011628215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011628214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011628213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011628212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011628211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011628210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011628209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000011628208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011628207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011628206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011628205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011628204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x800000000000000011628203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011628202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.645{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011628201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.630{4DF467A6-CB14-6140-B3BF-01000000F001}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011628200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:24.629{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:24.629{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:24.629{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:24.629{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:24.629{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:24.629{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x800000000000000011628194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.094{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011628193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.092{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000011628192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.092{4DF467A6-CB13-6140-B2BF-01000000F001}79204668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011628191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.092{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011628190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:24.091{4DF467A6-CB13-6140-B2BF-01000000F001}7920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000003349994Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:25.785{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911EC4FBB12B0138C633CB7F8E0F3811,SHA256=ED791D480757A1C855C4A8C20E96EDD6C9125DC07FA2A2AB2914AB8A067B639A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 18141800x800000000000000011628322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:25.993{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:25.993{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:25.993{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:25.993{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:25.993{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:25.993{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011628316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=35E631D4B6BFFA0FE3A0C22DAA765972,SHA256=CCE38EE2FB8D5BD5FA79F3FF9E1D00EA7511A9F19504D33FF88802757EB90A06falsetrue 11241100x800000000000000011628314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2FD1BBBF631664B8B975B4CB1F0AD81,SHA256=34C5A9BD209D1B866DF44381A6B27FD54ECF69AA09AD1F0C206FBE2A086F3085falsetrue 23542300x80000000000000003349993Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:25.248{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=005487BBAFB129A895F39FC805EBAC68,SHA256=C05147A837CF1850AEF2612673654B433FFD1FB4D5480A4009E4F7865D95B29D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000011628312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.461{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000011628311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.461{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011628310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.461{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011628309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.461{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000011628308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.396{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.395{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8DB3BC6322233733422259BDA738B2,SHA256=2E121446ADF71BB1AD4A0FA4416519F29D9C3FBBD17C221221094B07840D335Cfalsetrue 734700x800000000000000011628306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.346{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011628305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.346{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011628304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.346{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011628303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:25.346{4DF467A6-CB15-6140-B4BF-01000000F001}7436\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000011628302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.346{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011628301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000011628300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011628299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011628298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011628297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011628296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011628295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011628294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011628293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011628292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011628291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011628290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011628289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011628288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011628287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011628286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011628285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011628284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011628283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011628282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011628281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011628280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011628279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011628278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011628277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011628276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011628275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011628274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011628273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011628272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011628271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011628270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000011628269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011628268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011628267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011628266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011628265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011628264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x800000000000000011628263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011628262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.330{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011628261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.315{4DF467A6-CB15-6140-B4BF-01000000F001}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011628260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:25.315{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:25.315{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:25.315{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:25.315{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:25.315{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:25.315{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000003349996Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:26.788{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9091BD2C9BB82B5122E494AB260222A,SHA256=494202D59EB45E1D2AE1C6633905D191D34ACC4B5E1E7608FD0FE2E6C1DC3B56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000011628439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.831{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000011628438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.831{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011628437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.831{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011628436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.831{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000011628435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.762{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.762{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BEC72A3D7698C54DEAF6030CC7BB8CF,SHA256=D7F8F247207BD8998A2E7244C7705CC3CBFA5D59DE3CE5ABC78B588BA375878Efalsetrue 354300x80000000000000003349995Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:13.324{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50116-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000011628433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.731{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.731{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C560D6321B8A175386F60B8A348213,SHA256=64B56FFD91D6F83220BC0B6AE35A462972D50E35D99B8A303C88967551F3DC2Dfalsetrue 734700x800000000000000011628431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011628430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011628429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011628428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000011628427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011628426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000011628425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011628424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011628423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011628422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011628421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011628420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011628419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011628418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011628417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011628416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011628415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x800000000000000011628414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011628413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011628412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011628411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011628410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011628409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011628408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011628407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011628406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011628405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011628404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011628403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011628402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.700{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011628401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.699{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011628400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.699{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011628399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.699{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011628398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.698{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000011628397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.698{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011628396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.698{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011628395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.698{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011628394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.697{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000011628393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.697{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011628392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.696{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011628391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.696{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011628390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.695{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011628389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.695{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x800000000000000011628388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.694{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011628387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.694{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011628386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.679{4DF467A6-CB16-6140-B6BF-01000000F001}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011628385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:26.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:26.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:26.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:26.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:26.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:17:26.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011628379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.647{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.647{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1D7FA3ADDF604BA7FCF674CE6B4A44D9,SHA256=563BC360ED0CB6AC563D66CAE8CA520DCF8B16256280EE15A689CA8BFA0D9568falsetrue 11241100x800000000000000011628377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F734EC2C9EB73F97AC4CFA68F50591AA,SHA256=CE1C50514CC251B6F674FFEF84AAC7C61C41B8DEC4DB2AAC2396BB41278D5E56falsetrue 11241100x800000000000000011628375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D06D3D6286FE6FF2121079FDB4F43A8F,SHA256=97256CFB64506E443CB8C55A6166F321B7FCF6AEF1D5B05998610FFC488A5845falsetrue 534500x800000000000000011628373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.146{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000011628372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.146{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000011628371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.146{4DF467A6-CB15-6140-B5BF-01000000F001}23008100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011628370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.131{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011628369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.131{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011628368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011628367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011628366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011628365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000011628364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011628363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000011628362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011628361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011628360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011628359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011628358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011628357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011628356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011628355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011628354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011628353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011628352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.015{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011628351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011628350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011628349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011628348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011628347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011628346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011628345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011628344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011628343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011628342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011628341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011628340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011628339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011628338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011628337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011628336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011628335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011628334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011628333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011628332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000011628331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011628330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011628329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011628328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011628327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011628326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x800000000000000011628325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011628324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.000{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011628323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:25.994{4DF467A6-CB15-6140-B5BF-01000000F001}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003349997Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:27.790{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF1E896A81DA0A85DAB9CBA61E62ECD,SHA256=2A70CB50D12F7F73A08E72067037A0D92A656A716591669284090F1CB949EE50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:27.764{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:27.764{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E18C3C7F30E8DFF3B72C9CCAAF7720E,SHA256=C6F526863D18854CAD39D726CF6E6A2CED055B725A51DC362AF80984CC539265falsetrue 11241100x800000000000000011628441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:27.680{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:27.680{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35A8F2FBF6F33983BB6136EBDC11C64D,SHA256=72DF8BE64B90F5D708638709FD4E1E2629A25F45F7A3F2913C8FC606863442C3falsetrue 11241100x800000000000000011628445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:28.851{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:28.851{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23965CDB1D7EF6C98979DE8F32727A0,SHA256=4A0857FBACA250AA4DE769D69E76D21C05552D9CB1499CA438A42DB248EE37C3falsetrue 23542300x80000000000000003349998Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:28.793{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D649BA8EB4ED3CD3DE4A3D1751964CB,SHA256=49858CC29034868AF59CC8FD102CC164A219024124638FAC2C0226C107402F18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:29.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:29.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0F9169EFBBF4E27F312B51BA5DBF92,SHA256=A2DAA205FB24755F0C77FF9B461D8C6509C0F733E1154CAEC6DF40D822EC2BA1falsetrue 23542300x80000000000000003349999Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:29.796{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9317C511A2FFDA213C7BB6896C848356,SHA256=2AADC54D4A8D9730ECD3B12D7437A49E8B0F9CC5E8628AB382D66B7554FA054D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011628446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:00.508{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49579-false10.0.1.12-8000- 23542300x80000000000000003350000Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:30.799{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748F8370090D5464E58664244379103C,SHA256=2CE61432954B0D8B84464417DF152C028ED54788197AFF94149EFF5647A2A9DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350004Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:31.802{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DB13F142374ED34C41F42946EB61C2,SHA256=FA7EEF415D9993A3737F0DA3EEB7E7A1092DE0118499799F8D2E36024F36B92D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:31.689{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:31.689{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F2D1E9787D4C171FF1745E202338BEBB,SHA256=36914E7C7571ACD4BFB40BD726DA4AE393883A0FAB56E00A8787B149BC0084ADfalsetrue 11241100x800000000000000011628454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:31.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:31.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=675E7F14E67B0A9F496DA8AD457A55AE,SHA256=3C665D2E04C2D0668F752D3E75A5054CE367E40342DCEAA58D51E1ED1B3FC698falsetrue 11241100x800000000000000011628452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:31.226{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:31.226{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B239A4541C2DB0C0158AFFACFAF8F669,SHA256=21E589154A1C73FD559357E47D3232DD3B3095036D642C81CB029EBA83F6C688falsetrue 11241100x800000000000000011628450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:31.226{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:31.226{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9B76383EBBB5FC9030E163331686FE,SHA256=443C2C6BA51BDB4C0CE7C6899B7B8B59BDB0CE90D1EBD37BE06388563258E7BCfalsetrue 354300x80000000000000003350003Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:19.296{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50117-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003350002Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:31.285{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCAEA31D315367C1C63A6386B66A4655,SHA256=B27F79AD88A3236083623C1FBD706A9A54F877429DE0494CF709608F8E7F9E3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350001Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:31.285{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25027B84E10EF098CD04DFB778417BA4,SHA256=3CEBE1E021F3615E6F30EAEB0B08B262B8441E41D40DF048E6FE9A62AAB2F5DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350005Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:32.805{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04246459C20248DEFD3B9E2EF29C855E,SHA256=4ABF3F3A7512D6C1A7A2BF0FF465C61C14217B5AFE1ABB07E2D9660B98EB1FD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:32.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:32.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539FF73F973731F2F2801188FF610CE6,SHA256=872F9D709C9182748DA36A3B7E5E194D20C9C25F4E00604731D732B863A2762Efalsetrue 23542300x80000000000000003350006Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:33.808{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B10AABCC57F3F66024DF21F3D4EB5DFA,SHA256=85846ED9D9A089017BED191AD82C159D153F5BDFF8503F694480AFE93C66F62D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:33.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:33.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C4C86FF7688FE02FC152D7EE10B27DF,SHA256=F300ADC7FE4CC628F15BCAE712CEC3663B53BA5D083E7C5883518BEBCF5DFA9Efalsetrue 11241100x800000000000000011628462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:33.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:33.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C332EDA4EDCA11F753E102A0E2617EA9,SHA256=F55FF787E6289B212CD96AE5909FC88273ABA4052EF00D4F02C594B013C54C27falsetrue 11241100x800000000000000011628460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:33.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:33.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE64B46CB4A5934BAFA661D2F4498D77,SHA256=7D421A21ECD2545837AB1ADFC2F4552EE3DC2A6EFDBF573916CC8A67506B5376falsetrue 23542300x80000000000000003350020Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:34.811{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F52B9C280882DA4FF938F7D4B4506C5,SHA256=9AE68E732DCFB51F3B3E20867E3ACD2097DD38AAE274F55C25D01694C4BBAB8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:34.266{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:34.266{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=464D4FD9A176758237C4C31EB8FDD1DF,SHA256=5AF222053768A399A0E49D814EE9E71DE5B89FD3561B9C781C95E70A00410752falsetrue 10341000x80000000000000003350019Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:34.726{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CB1E-6140-78B8-01000000F101}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350018Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:34.726{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350017Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:34.726{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350016Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:34.726{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350015Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:34.726{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350014Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:34.726{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350013Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:34.726{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350012Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:34.726{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350011Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:34.726{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350010Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:34.726{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350009Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:34.726{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-CB1E-6140-78B8-01000000F101}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003350008Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:34.726{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CB1E-6140-78B8-01000000F101}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003350007Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:34.711{AEE49BD1-CB1E-6140-78B8-01000000F101}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000011628465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:05.558{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49580-false10.0.1.12-8000- 23542300x80000000000000003350022Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:35.945{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCAEA31D315367C1C63A6386B66A4655,SHA256=B27F79AD88A3236083623C1FBD706A9A54F877429DE0494CF709608F8E7F9E3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350021Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:35.814{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EDEA2E1FBC0FCD47A74A36886B684FF,SHA256=3A067FD2A7462C82974C69C78E8D0459549869858D3BBB0A96E5E4104F54B0CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:35.823{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:35.823{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FA7F06C6A7AC3701EFC5731572ED7A54,SHA256=938BC34381B0ED926949DFCDE67A8D809569A65FF7FCD454388873FB180BD895falsetrue 11241100x800000000000000011628469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:35.285{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:35.285{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E7D1F9CDE215CBBED792D9DB540727,SHA256=8CEFBCCE289A5F6EC5B1B5409196C3FA15C8420C0F92A1E7B84D54789A139368falsetrue 23542300x80000000000000003350024Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:36.817{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8478E1A3610A3618364936709D2D568E,SHA256=3D4E89AD9387834A07D4B2938D9DED08B744FC124E4DB727242A832E88D6830D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:36.724{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:36.724{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3D397883A8BDC8DC8E6207FAD9E77392,SHA256=FF42040DFB5DD724CAB626EBBF81F51AA9A365AA4C647F9EDA4817C5D616C641falsetrue 11241100x800000000000000011628475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:36.439{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:36.439{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B9B1DEFBA450E90666E52FFAB6B4867D,SHA256=4F203CF2392EA1CF3178D878E4E04CAFB04815025B68828DF2662CD321196F42falsetrue 11241100x800000000000000011628473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:36.439{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:36.439{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBA493838F885F3F97007267F5F3648,SHA256=BB160892392586BB74A558D70930282F8FF0B068DE1F2C04CE1CFCE17A84C69Cfalsetrue 354300x80000000000000003350023Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:24.340{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50118-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003350025Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:37.820{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8281E6AE93087D605DEBD8EE990CB843,SHA256=F0875361DF69FD9520F3B32DAD1D3F38FE0A9D4CF1D4E16DCA26460BD06AA131,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:37.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:37.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010BDC1F892390D2287F0DD7B35C47E9,SHA256=11CF6AAA329515785CFB01C6BE06DE4F2B37E6AB3511168663A94231EBB864C7falsetrue 23542300x80000000000000003350026Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:38.823{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBD51B8DA8961A22607FAB3A233CF31,SHA256=FD9E15797AD4479B2CD422F447FFECD64D87F2B834BE80AFFD2CA1BF17D7BFA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:38.445{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:38.445{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D195B5342F645761725403C2B1458B75,SHA256=5927350E80495498F9691F10499C3A879DCFEA56DE1595E1537F308C3891E72Cfalsetrue 23542300x80000000000000003350027Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:39.826{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90C280ED367AB7882FE0DAFE358C9F8,SHA256=92CF67146F0E46023653BBFD540B8B99896D83D9A7F30981AC06252D5D847622,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:39.448{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:39.448{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA863BA3A4A69270AB76BB517FE4A8B,SHA256=8968468F9CE9F877B11495E0912CF527910CD36F503BEA9ECB93DB2876F24EC7falsetrue 11241100x800000000000000011628485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:39.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:39.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81CF566147AB3DF0FC0BEEAA311F02F7,SHA256=1499D37CAD4BB745F3917C4BFAAF1A71D797C8D01DC9CBFD057D01B462F1A3FAfalsetrue 11241100x800000000000000011628483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:39.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:39.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C332EDA4EDCA11F753E102A0E2617EA9,SHA256=F55FF787E6289B212CD96AE5909FC88273ABA4052EF00D4F02C594B013C54C27falsetrue 23542300x80000000000000003350028Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:40.828{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93861B0CCAD68CC1F99C4183D081FBCE,SHA256=A022B8541A8882EF60430C9EDE04BD876D184B11C46CCB71F57174AFFC34798C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:40.867{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:40.867{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F67725E022B7F4479B1C893094AC0953,SHA256=45880F5FC2CB4B6D5CB6F076106E5BC0E6DB346CDA96D3FF67FCBB044DD8957Ffalsetrue 11241100x800000000000000011628490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:40.451{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:40.451{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFDF94E8F5033C246B31F1862BF1559,SHA256=BF3CD2D1B1DFBC8152B31B5364B46E7CF2032755477DDD51EBC914511E126526falsetrue 354300x800000000000000011628488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:11.554{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49581-false10.0.1.12-8000- 23542300x80000000000000003350029Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:41.831{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A549DD8A49CB303374E92ADE3ACD61,SHA256=161179423D3C3E5685B00E04BDBFC727AFAAF52BBA1F741B540C197C29BF5109,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:41.816{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:41.816{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E782EBD51CD9BF9F9D4A47656CD19DC3,SHA256=81838A91668A2D62A901C295EE0B245C6C15237F4F5345E6892987BEAC2445E7falsetrue 11241100x800000000000000011628496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:41.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:41.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A4B43D9C6D463B0D4C9A71D64DC8A456,SHA256=C30C1A8009CB6231BC1DCD20FBF9B622F2204523A0F3C6F2D04D4C552AC00ED8falsetrue 11241100x800000000000000011628494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:41.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:41.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5733365BA574E73E7178AB2BAC7BC4,SHA256=249830C618FB2BE5A36EEA63D3274163BAD803FC42EA1BFA84FB2C1ADD1EB820falsetrue 23542300x80000000000000003350033Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:42.834{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC40B8F1DB87D74E8B68D8E141341D0B,SHA256=4A3FAB6B1DA8783D2AF85EACC922F4C516A53A8D090CE1A7CFC8B98BD320ECBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:42.536{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:42.536{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0871448AC68FA9D72C09DAEA160E0CDD,SHA256=FD559234B19B86AF283217B8425260CBD2EEA896F5EA18EB7F482F9E53D348D4falsetrue 354300x80000000000000003350032Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:30.173{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50119-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003350031Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:42.096{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AB225F0F53645E1E9D890AAACD0474E,SHA256=97CDCD931A71376D504448B068951499D9968B6898D1ADE6B13856F02802D7A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350030Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:42.095{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31852C8D7474AC52D3B2F34E3F560ECE,SHA256=722E196CEAACC292BB60354AFC48535E42E0BCDB76A55F00D6576E4A28D4BAD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350034Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:43.837{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD618139907DCDAFB9215A9950EC39F0,SHA256=7F7F753D9CC67C960AC58D1E4651D058641502F2997CB3B1A457A6994F86D373,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81CF566147AB3DF0FC0BEEAA311F02F7,SHA256=1499D37CAD4BB745F3917C4BFAAF1A71D797C8D01DC9CBFD057D01B462F1A3FAfalsetrue 13241300x800000000000000011628559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x800000000000000011628558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x800000000000000011628557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x800000000000000011628556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x800000000000000011628555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d7a984) 13241300x800000000000000011628554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0x0c2c91c2) 13241300x800000000000000011628553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d7a984) 13241300x800000000000000011628552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0x0c1d4323) 12241200x800000000000000011628551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x800000000000000011628550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x800000000000000011628549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x800000000000000011628548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x800000000000000011628547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x800000000000000011628546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x800000000000000011628545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x800000000000000011628544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-291 12241200x800000000000000011628543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x800000000000000011628542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x800000000000000011628541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x800000000000000011628540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-291$ 12241200x800000000000000011628539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x800000000000000011628538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x800000000000000011628537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x800000000000000011628536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.574{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.574{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.574{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.574{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-3F3E-6132-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000011628532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x800000000000000011628531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.574{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 11241100x800000000000000011628530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.558{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.558{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B18FED732474564371785A1B715614,SHA256=EC4CF516EF0B110C7766030F4BF0A1AFC9C5E995A5526F389C276E5A77015E61falsetrue 12241200x800000000000000011628528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.474{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x800000000000000011628527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:17:43.474{4DF467A6-3F48-6132-1600-00000000F001}1248\lsassC:\Windows\system32\svchost.exe 12241200x800000000000000011628526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.474{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000011628525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.474{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x800000000000000011628524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000011628521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.474{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-west-2.compute.internal 13241300x800000000000000011628520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-14 16:17:43.474{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-291.attackrange.local 12241200x800000000000000011628519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.474{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x800000000000000011628518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.474{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 10341000x800000000000000011628517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000011628511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.474{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000011628510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.474{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x800000000000000011628509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:43.474{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 10341000x800000000000000011628508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.474{4DF467A6-3F47-6132-0C00-00000000F001}8364792C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000011628502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.389{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x800000000000000011628501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:43.389{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 23542300x80000000000000003350035Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:44.840{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4E9E092817F388891F52D66312F892,SHA256=9E6576D936E27A6DA37967AB960F44585AE885616000CF9AF6B58838ED1C23AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011628570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.905{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49585-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x800000000000000011628569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.905{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49585-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 11241100x800000000000000011628568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:44.561{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:44.561{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48AD529162DE8DB1644BB95CDD8FD4B2,SHA256=A734DC55277EC46F55B9D4731FFA2E1809B47A8E3AE40B97E4B5EE8779B9C3AAfalsetrue 354300x800000000000000011628566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.813{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-291.attackrange.local49584-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x800000000000000011628565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.813{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49584-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x800000000000000011628564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.806{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49583-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x800000000000000011628563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.806{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49583-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x800000000000000011628562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:16.702{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49582-false10.0.1.12-8089- 23542300x80000000000000003350036Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:45.843{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948EBF359376653FF09517F496953F1E,SHA256=974AF4ABCD5EAF4B91571079572FBFCA75EC886B4B4D2C6FD33DEE32FB0F8E9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:45.912{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:45.912{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D209F71C964BBD257F785D3DDD709352,SHA256=CE33BA692162822E28BEBAC7CB8E46027F6D2AA358B8B3CBCAE3579F273506C4falsetrue 11241100x800000000000000011628574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:45.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:45.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44C6E39B85ECC354D8914B09BDAAE04,SHA256=9603F84184DE2E086B7EC8ECD5B89A6FD408D6632B1907C8A047674CA99FE7ACfalsetrue 11241100x800000000000000011628572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:45.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:45.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F89B6EFCAE624A9EB372A9AEE743497F,SHA256=C9E161ED399A3A82E102F998D0003BA9B42D55058CA8EEE216BB9DCB1D2CE27Dfalsetrue 11241100x800000000000000011628601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=21B239A4515B99E697BA4972348406E6,SHA256=EF6C634C3018144BD41E8CA526AD0356EACDA7317245CD181317263FE3C043EBfalsetrue 11241100x800000000000000011628599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.566{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.566{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3219680EE906E27592556A0A46F3D34,SHA256=553CA1AD0A75B3FF030C2E17BB6666742D9CA7E0A4DE14F208120ECA2B781CE1falsetrue 23542300x80000000000000003350037Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:46.846{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80EF7E8DD8593F404E464710276AFE9,SHA256=CCECE5BD4C0F98D6D156C172EBE5DA9CD35A3D0AFC090C6E0C824FA2B9FF7906,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.513{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.513{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BA114E5A652E00E8CC079601FDB4A4B0,SHA256=3F4C08CA3BB1E2D3AA73C7C4CEFB1D7D2CEC0FFEB4C7FEF15758A71EE5B9746Dfalsetrue 354300x800000000000000011628595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:17.520{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49586-false10.0.1.12-8000- 10341000x800000000000000011628594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011628577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.365{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000011628603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:47.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:47.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE96AD946590A633BE9924831E7A68A,SHA256=A8A3D29762F20E4EEAD0F3D64E0F20E10BBE6B1F7E8B963E16F338892509226Bfalsetrue 23542300x80000000000000003350041Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:47.849{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D8EFD66AF2C1495DE510C31F5E80C2,SHA256=B931C7EE68F92BE3FB1C8550815C7515C74940C78E332D80C5153A1FA228DF60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000003350040Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:35.210{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50120-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003350039Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:47.147{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07FECBDE8BC5CD346F198DBB5A54F41E,SHA256=8FBAE496A8BC83BB11903EF0FC6D3F0E47684F14426F54521A501AF84C6230CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350038Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:47.147{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AB225F0F53645E1E9D890AAACD0474E,SHA256=97CDCD931A71376D504448B068951499D9968B6898D1ADE6B13856F02802D7A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350042Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:48.852{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F469C325D4CE9A622FE456AC57167CD0,SHA256=0E5295BEEB77B902B19538999CB309C04060D6C668DE4DC557753EE0E8475554,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:48.603{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:48.603{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4D0A62F30B84D8984D395876284F1E0,SHA256=2EE7B287C2546C5551CF923BD95B607401F661946A5827BDE30023B0A33564DFfalsetrue 11241100x800000000000000011628605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:48.571{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:48.571{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D090B1CF6D0CC7CC6DD331F21FD2E6C6,SHA256=C20586DAF1BBFB61FE04A62B464AFB4FD57D380D921B28470697972ECE76AAA4falsetrue 23542300x80000000000000003350043Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:49.855{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394436355E64BD6C32DA71B5B91DBDC5,SHA256=12B98ECD8BC11747539CDDBBD0C2AB9F3674D76ACB9368DB748E6FCC9D8959B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:49.574{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:49.574{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B594840518C54FD41599D7CC58AA22,SHA256=168DEFEC314B281F82EEDD1C67E95106090C88C14D36CF81F297AF0704ED3447falsetrue 23542300x80000000000000003350044Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:50.857{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D3650FE4DB2067D4C1BF3F95C83E8C,SHA256=EDFCD630502201619365620BE6F09D054EF2C88B2D6E7E2E067B9084C72D64F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:50.963{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:50.963{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=43E05D8AFAD793516376CC8481A02370,SHA256=02862D4C68424825680670276311132FE4584CFF186609D4ED5B753DCD1D2E5Bfalsetrue 11241100x800000000000000011628611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:50.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:50.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0690D0D8D70BB78A90131312375A8B7,SHA256=50F24FD438E93C7E8283A72E503124AEC277412B717310F0BC8C74B3958B76A5falsetrue 23542300x80000000000000003350046Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:51.860{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590F435FAEFBC4C9C751DD3256F7AE3F,SHA256=424967099338BB9CE19A8A5787337A067C909F8CF11DBCAE2B1AEEA3C44C860C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:51.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:51.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D260361FE2FB2DA81DDA1DE6C5814BE7,SHA256=E507F9BA8A595CC7415B1D1D733974BC61738A954DC99FE292CC7E99B2949022falsetrue 11241100x800000000000000011628620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:51.579{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:51.579{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504B832EE1FE373143C0B5AA55A19AC8,SHA256=52F7385452E05A439ED1CF6FE81EA37409E1FC8F1572511A14561AF316AF4C52falsetrue 23542300x80000000000000003350045Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:51.307{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-15485MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011628618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:23.436{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49587-false10.0.1.12-8000- 11241100x800000000000000011628617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:51.494{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:51.494{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1ACD31F8C4AC24DE70947041463767F6,SHA256=C7F3EE265FE751466A030D1351761A6695576238E5FE6E2F8E99BCBDC8ADD778falsetrue 11241100x800000000000000011628615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:51.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:51.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E98C5BD99B4CE172E4985353CA6D8C4E,SHA256=16665DECA73F775B08B61D0D240E3BD78DA24A9F1DFF6D996B70A26C0F076CA3falsetrue 23542300x80000000000000003350050Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:52.863{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E6164C960D9DE5949BEB493C3E3502,SHA256=C7927B9E596D0DA235045B5B5B870879403299CCD600D60EEE3B5B3916BD2D37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:52.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:52.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B5723E8D2C6CF966295780432FDEBB,SHA256=4E6DA803FDCCB1EEEA1D9FA223E52745CB077CE3C6E7B6C35C74A678E8E8E3D2falsetrue 23542300x80000000000000003350049Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:52.308{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-15486MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350048Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:52.245{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F666CB6497A9C665AFE6B8E3E9A9AFF,SHA256=68551FDABD413912702D059382B74D9EFB85E019C4AD1F7A860EC0ACD76F38B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350047Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:52.245{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07FECBDE8BC5CD346F198DBB5A54F41E,SHA256=8FBAE496A8BC83BB11903EF0FC6D3F0E47684F14426F54521A501AF84C6230CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350052Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:53.866{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2F73A619D22A26392F4BBCCAC9FA52,SHA256=6268C98F2250370FB269DF6C02741D03B9C2BC3BA295ECF42D8C74E60EFADE5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000011628635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:53.599{4DF467A6-4079-613A-86FA-00000000F001}58967744C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000011628634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:53.584{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:53.584{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0DF0B3B2929A62C2E140B782879D35,SHA256=410FE4F3BBE6028E69B8764ADDD6C1C01BD6A6FF38663D47B5178A148A01E63Dfalsetrue 354300x80000000000000003350051Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:40.324{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50121-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000011628632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:53.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2021-09-14 16:17:53.531 11241100x800000000000000011628631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:53.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2021-09-14 16:17:53.531 11241100x800000000000000011628630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:53.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2021-09-14 16:17:53.531 11241100x800000000000000011628629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:53.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2021-09-14 16:17:53.531 12241200x800000000000000011628628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:53.531{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000011628627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:53.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000011628626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:53.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000011628625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:53.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x80000000000000003350053Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:54.869{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A551243ED6765C8BD467466ED0CDF4BB,SHA256=292BED5680D8E14AF73A70C92F9C6D0CEDA8CA2D6238D74630AE4D720F1E79F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:54.586{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:54.586{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDC96CE0185C24668392311530726F1,SHA256=CEBFE52FFDE11DAB8BFBF6410705EA98A2302DD6BC505580E882F6FF5952C5F8falsetrue 11241100x800000000000000011628637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:54.548{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:54.548{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA84D7A430568EF5738A197846AAF9BB,SHA256=94FF1FC79D639EBA0A3533F6553BFD8F968499DAA33E9CAB3FF1193EA21FA78Ffalsetrue 23542300x80000000000000003350054Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:55.872{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EBC33C026ACD81B80095A37736696FF,SHA256=D4954F67E7C7D529FEE458DED25961164B503AA9879057740DF65CD37C023637,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011628648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.873{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49588-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x800000000000000011628647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.865{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56013- 354300x800000000000000011628646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.863{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-291.attackrange.local64648-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x800000000000000011628645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.863{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60506- 354300x800000000000000011628644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:26.863{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60506-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domain 11241100x800000000000000011628643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:55.589{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:55.589{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F59F27C2B2E13F372ED96CD4BA8BAB3,SHA256=9350A8E041D002A93733162B2900692723ED487ABB77E2062812197E35DCA47Dfalsetrue 12241200x800000000000000011628641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:55.087{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000011628640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:17:55.087{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000003350055Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:56.875{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D889152169622E39314ED2D453970C2D,SHA256=859F034B0341141BC7B92E90D1AFFA7CC75C86E966CF11757108ECFB5509C28A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:56.923{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:56.923{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7311A976ED88E9772FDB9A56E07DCA51,SHA256=09489DCB2E2B505184824962A82850AFCF03F7EB0134C8BF1B948A234FCF6CE4falsetrue 354300x800000000000000011628660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:28.416{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49589-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x800000000000000011628659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:28.416{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49589-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x800000000000000011628658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:56.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:56.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7E2CFE435A0265B72CA35D7C5556B8,SHA256=53AD304C76B3DA0C726192FF7ABB257543D095B6568DFA80E780540131828A33falsetrue 11241100x800000000000000011628656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:56.474{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:56.474{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=53541532178E1F4E0833D297A645C3B2,SHA256=149259501398E2FB139AC3CF0FE1FF809B46161AA82750D692D79F2B8F46C6C5falsetrue 11241100x800000000000000011628654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:56.290{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x800000000000000011628653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:56.290{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EC113A8A0FE8F5919BCBA48D12D4BD43,SHA256=38FFEDF889F25FCD697F473E4B528DC306E8DC947D0A5F293EA19C022CA8B3FAfalsetrue 11241100x800000000000000011628652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:56.105{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:56.105{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6A4D4340D6DE4D8D2A942DE2563E878,SHA256=CAD99642B073193F1489F8BE2C30ADDF39A843DA71EB713C64B3888876138CB2falsetrue 11241100x800000000000000011628650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:55.990{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:55.990{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=05EF1216797B05407C833D991123CAAB,SHA256=FB9FA7A491D4F7580A7CD431255228627E81552A221232E0CBD5E13288B577F5falsetrue 23542300x80000000000000003350056Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:57.878{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B3BE5D813EA962769409B440250FC0,SHA256=17BEA5EDB844BB133489BAF025032D1F979EE0DB5085FADF9C8E7544945B40EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:57.593{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:57.593{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B52B91C22143C926B0C08A32E52EA6,SHA256=5D953061E41ECFB8A6F90458A30CE520047FEDA1D55A95666ACD42427F72AB53falsetrue 354300x800000000000000011628667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:29.419{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49590-false10.0.1.12-8000- 354300x800000000000000011628666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:28.942{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local62939- 354300x800000000000000011628665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:28.933{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51270- 11241100x800000000000000011628664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:57.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:57.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02C1E9903FEB18F5CE7B94B44EDAD90C,SHA256=568E1432C0860B77122C3AA5627277FFD87A4801D965E797D8EA5D774588A583falsetrue 23542300x80000000000000003350059Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:58.881{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11256C040580DDB33964A58A9CF949D4,SHA256=CD04CCAC7536A57CAFF48CD34DD08B1A3455B8D3A24765EB5E7E587AA6648554,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:58.597{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:58.597{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC0D657BE5D00E873482A21397CA7AC,SHA256=4E683A576B5E6B08C2F8466B13A74165B3971320058F8F075BFFA882132E016Dfalsetrue 23542300x80000000000000003350058Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:58.047{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA6BAD3DF4ED23097D2FB750FD4B41CB,SHA256=67D1E9C42BC2DB90929F84FE8774753C2BC7687155827A68235FAB39128BB096,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350057Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:58.047{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F666CB6497A9C665AFE6B8E3E9A9AFF,SHA256=68551FDABD413912702D059382B74D9EFB85E019C4AD1F7A860EC0ACD76F38B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350061Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:59.884{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D184235B448AE4BCA2328B98F00E0BB,SHA256=DE2B05F5EEEC72942FADC3EC8B96F16F7A962E62F50481CF2AD0055CAF6A80AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:59.600{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:59.600{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98E567647FD243B0A4073AE7E0A0DAB,SHA256=FF97698FEE8DF0305E4BA281B9AA2BB380141B119E12ADAF33A8DB754270B5E5falsetrue 354300x80000000000000003350060Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:46.121{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50122-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003350062Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:00.887{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6759EA1503BB958ACCA86E14B602E43C,SHA256=BC7254302C4B7EFB63453CB7AD402F6E03FC83FDCBADEBC12C40C08C4A47EFDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:00.603{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:00.603{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEB824FBC1378206AA0FC3E36B1AF7B,SHA256=03A86677E4125586A9C34BC3F6C0333555C8CFC8991D3704712385C56C10A3F4falsetrue 23542300x80000000000000003350063Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:01.889{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B632AAA2E127B6696294A71CC14918,SHA256=5FD4CCE5FCA140E551F5A9A962430B6D87AA45F98EDA453762D8D0AA234FEC90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:01.966{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:01.966{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BCEA89F56E39AFC1864BC7E36CC61F7E,SHA256=5A9E04CC8784870219D55FAC4F7D5AA2F3AAE027FE40425EEB9BC955A105D30Ffalsetrue 11241100x800000000000000011628681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:01.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:01.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DC477959EA2FF2497FDF06189FF1A151,SHA256=2F33E2D943160A43E3C12F0D25FBB35A520D1F9B6A24BDE2F24AF060190CA4A8falsetrue 11241100x800000000000000011628679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:01.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:01.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E502958325DD2C06A315C41ED023770,SHA256=50BDB10D4B270350EBA36A0C61B002E5B9E96E1C8CBD0830F75DD82186E50627falsetrue 11241100x800000000000000011628677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:01.103{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:01.103{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A7760ED43EA782C46D357F0C5BF0ED30,SHA256=0CE343C3BBE4092AFA179AE769E81A5A4C52FEE8140465BE4338873B58E69BD2falsetrue 11241100x800000000000000011628685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:02.736{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:02.736{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5B1AFA59D51F4DD1B52191195762FF,SHA256=71245B8AA6D913D20C077F32C6DC0CD9359256941A814D2B96953144EB4DF6FDfalsetrue 10341000x80000000000000003350090Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.993{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CB3A-6140-7AB8-01000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350089Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.993{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350088Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.993{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350087Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.993{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350086Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.993{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350085Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.993{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350084Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.993{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350083Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.993{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350082Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.993{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350081Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.993{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350080Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.993{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-CB3A-6140-7AB8-01000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003350079Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.993{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CB3A-6140-7AB8-01000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003350078Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.978{AEE49BD1-CB3A-6140-7AB8-01000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003350077Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.892{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D724402DC98BD8ADAF9BDE3ED30112,SHA256=5D54A3FE1A1F194AD6C11046E9396C5FFD25CFA7C087DAB2A35CA24A2FBEF5CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000003350076Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.306{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CB3A-6140-79B8-01000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350075Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.306{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350074Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.306{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350073Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.306{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350072Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.306{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350071Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.306{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350070Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.306{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350069Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.306{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350068Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.306{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350067Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.306{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350066Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.306{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-CB3A-6140-79B8-01000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003350065Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.306{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CB3A-6140-79B8-01000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003350064Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.291{AEE49BD1-CB3A-6140-79B8-01000000F101}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003350107Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.995{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37685AAA597F3F893DA7CAF2C4151A8,SHA256=7CC462B2FA4147E978001DD7AE14827502BB04FA3052AC353D1A2881B92A6EFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:03.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:03.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB850291DC345F6E38E858CC006DB6B,SHA256=DE457AABF0FD9722C649A06B3387DDA7DB7F111BB4350467A1808E98D1B577B2falsetrue 354300x800000000000000011628690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:35.367{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49591-false10.0.1.12-8000- 11241100x800000000000000011628689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:03.037{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:03.037{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D48C2B85B5D03977E2A50F000954C02B,SHA256=340F346361E7D030A2E69DBAF914915EAF991A1ECC2EACB249E82D75D7A77D51falsetrue 11241100x800000000000000011628687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:03.037{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:03.037{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA803C3537E210533EA7F84D78219209,SHA256=4BB9FEA8021D595AD255DF97B27AAA3D8A072EF3C646CC5D15B7849B41195CF9falsetrue 10341000x80000000000000003350106Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.694{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CB3B-6140-7BB8-01000000F101}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350105Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.694{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350104Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.694{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350103Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.694{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350102Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.694{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350101Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.694{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350100Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.694{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350099Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.694{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350098Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.694{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350097Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.694{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350096Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.694{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-CB3B-6140-7BB8-01000000F101}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003350095Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.694{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CB3B-6140-7BB8-01000000F101}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003350094Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.679{AEE49BD1-CB3B-6140-7BB8-01000000F101}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003350093Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.139{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B71E16D9396794420391D895FA580951,SHA256=70895D952A18261C8E30D141ED4E315EC77060A46971BB465146360E484D6066,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350092Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.139{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA6BAD3DF4ED23097D2FB750FD4B41CB,SHA256=67D1E9C42BC2DB90929F84FE8774753C2BC7687155827A68235FAB39128BB096,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000003350091Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:03.108{AEE49BD1-CB3A-6140-7AB8-01000000F101}4072212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000011628694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:04.842{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:04.842{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9991846243174CC32502D88AEAD141,SHA256=2A01BD9A3331A3539D7D2FBCE87C35F182683115A5EED0552B235650FA06FB4Efalsetrue 23542300x80000000000000003350109Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:04.682{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B71E16D9396794420391D895FA580951,SHA256=70895D952A18261C8E30D141ED4E315EC77060A46971BB465146360E484D6066,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000003350108Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:51.187{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50123-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000011628698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:05.845{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:05.845{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3DFA2F0299AFD90E9C726D65096019,SHA256=78D1BF244636B58072AEF90ADFDF2445B9C84A04C1F6D593ED53E4F9998117EFfalsetrue 23542300x80000000000000003350110Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:05.063{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8FBBC737EB1020A95953441D2EB047,SHA256=62716E8AAF9E26D0BCF292A365A37AD20785F10F57D30A5D29DFFCBC8E4471F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000011628696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:05.613{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EBfalsetrue 23542300x800000000000000011628695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:05.613{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=CBB54AE6580C00A21681D056FC2B3A86,SHA256=05C2BC9826DF830BF0B21351324F0DAC44728A0D1CF47715CB6438401C917CCAfalsetrue 11241100x800000000000000011628704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:06.847{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:06.847{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB368EF93344328C2F44F3D6CB618732,SHA256=1F74C36310E4767A6EA3EB460941731DFB97B7D61179468F931B83E6026269FCfalsetrue 23542300x80000000000000003350111Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:06.070{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D31BB3BB5A16C3596ABEB81D55B4633,SHA256=04FAEB544B1EC8C598DF82E25F0FDC11F4E38463F7E3596EE87B0D30673BF749,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:06.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:06.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=03B3DD77A5FF1E29468622F056D980C0,SHA256=3249A962B2883419118736CC0BBDFE4EAD6ADAD4145D46695273237988C37AAAfalsetrue 11241100x800000000000000011628700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:06.098{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:06.098{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A16B6B4C91793CA99ECB6DA406CCA9AC,SHA256=21B328B50455A8C9CC4A25198F4260655EC0AD48FA3761D0C7F89821F547D670falsetrue 11241100x800000000000000011628708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:07.849{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:07.849{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F706A6AD52C55A86D6B483DA02A7EF54,SHA256=DE8749790B8C446BCBCC9F9FD740ADE541018312902B10F10291A51C19ECC4B4falsetrue 23542300x80000000000000003350112Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:07.073{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12161FDAEE5B5C98265A65E13F2DC28C,SHA256=2561C186165D8EB2BC37FC9CE4F0FF322FD7D28112E01234CBAE1A6CE8861824,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:07.016{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:07.016{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C6834392D0447BAA5E69947BF2888226,SHA256=DAA5FDD07C20A552E2BAD3142945905BE325CAEA80FF1EBE045EFE13170BF933falsetrue 11241100x800000000000000011628714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:08.851{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:08.851{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C24B0F729B24EB8C3DCAF110E02361,SHA256=FB3C24044A9AF0EB9B1E41C06C9AB33512C7183C9164577CE7985D32B8858C33falsetrue 23542300x80000000000000003350114Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:08.408{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350113Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:08.091{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7684545A1248DC7191BA536BE460B26E,SHA256=FD71D5067B76AABFC6374D20FC69E78EE14B1C6BEFE0EDC17CADFFA12D6D5D2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:08.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:08.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEF1F3B4CD7842BB064BDE99C92349DA,SHA256=D5961E0257EFA7CE95D9095EBC9FF4069B1359E7B0864A9CE20071AF2FFF6CA1falsetrue 11241100x800000000000000011628710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:08.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:08.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D48C2B85B5D03977E2A50F000954C02B,SHA256=340F346361E7D030A2E69DBAF914915EAF991A1ECC2EACB249E82D75D7A77D51falsetrue 11241100x800000000000000011628717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:09.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:09.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC8C747011DE87124A1C50A6DBA8819D,SHA256=346AA718C3437C2B34BD195A0737FDF15B448A90A821450716832E35504B6639falsetrue 23542300x80000000000000003350116Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:09.094{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A713F5603E0581A1CA5C369C869C4D,SHA256=D8F666EA28F16D2FD5F4A13C09E16912758CD8DAE61082F75A621143EC5131B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011628715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:40.460{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49592-false10.0.1.12-8000- 23542300x80000000000000003350115Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:09.075{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F9154401FFC0B00815D7E1BC8754D5E,SHA256=17490F4E6F36F5BCA47A0C71C83977DC70DDAA27F6AFB2E9A295AADFC28FCACB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:10.906{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:10.906{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457395C06D468731775A09E292CF8324,SHA256=31FF86CD10A4C6BE9408B6DA7EE268C5E5DE06A673AB57CC18CB86E70FA73377falsetrue 354300x80000000000000003350119Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:57.489{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50125-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000003350118Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:17:57.153{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50124-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003350117Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:10.177{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7862C988656AEF89C9279D616A652D2,SHA256=9FB9BFDAE15711E1BDF9AC69EB965AA63A0904F1E45657F433A9836A23C028BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:11.927{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:11.927{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F82ADCF7050B0CE1ECA628EA4251C81,SHA256=C5483F99C32D22CB585676FCBDC8E0A85463088C9373F15C4955665BEA01A58Dfalsetrue 23542300x80000000000000003350120Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:11.180{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61C8264DFD8FBD4AFDD720D20889810,SHA256=100C2BDF8207FAFD84778666D841382DEACF17D3C6EDBA418A8BB292136DFAC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:11.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:11.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ADF98EB2721CFFA2BB0FF1B2A8B0CE14,SHA256=A6C9941628478321EAA04ED8E8258C033A1409DA39947D56606A90A2B21B1EB9falsetrue 11241100x800000000000000011628721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:11.173{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:11.173{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=502DE70D7B53C551EC5E3C332E15D407,SHA256=C72569EC71FAB2CC78038DDAAC37DC645DCB4EA3EC10A0576CDA7B29AD790958falsetrue 11241100x800000000000000011628729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:12.930{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:12.930{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2930B723EDB78BD927E5397F88F49EDC,SHA256=ACD5490CEFB168B196C5ED619F9A7DC8929E9EEE64C07F09EF84F4FF9F491DA1falsetrue 23542300x80000000000000003350121Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:12.182{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F815D65E452DBAC0295FE0B78EDC54,SHA256=D8497F5278746F11A5B900CE0400F6E0EB8C64C303C5D193072F55CBA43B222C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:12.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:12.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DC9395370C45149577ECA7D23FA65A59,SHA256=B220F0E92571F5CFF47213CBDC43EFFAD4B7369040B32B7AE791740BDB842ABFfalsetrue 11241100x800000000000000011628731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:13.933{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:13.933{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE91F6F7A1916B0F8E92D14F645F82C4,SHA256=E07640AE3478693A61F62A3B1DDBA2AFB4BCBCFFEFECC9FF91CECC3D9DFCFD76falsetrue 23542300x80000000000000003350122Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:13.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A341CD4D6A6B363DC3F300536C75FED,SHA256=6DB4E58008ABD7EF54F686C1B649F9EE2D121DC3F86566C4813A73741873463D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:14.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:14.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B85BEF1B8C7229B488D5FBCAC1B1F58,SHA256=121A77B1517EB7CC21F3CCBB35D0DD7DEE0C6D51B32EBADF65AC86243EA5A778falsetrue 23542300x80000000000000003350125Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:14.225{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23D8D9B089E8EE941CEAFC1657D32C5,SHA256=81066063797A3399BA9CF35F4BD361E4FD0EA7FC750E96694C8CC9E2318CD4BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011628736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:46.339{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49593-false10.0.1.12-8000- 11241100x800000000000000011628735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:14.033{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:14.033{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5681193C19FA9386292B2C953E678C36,SHA256=1AE92AE774993AC865C10E5773EF7552B761555914A36F7D83A89E57E238E31Afalsetrue 11241100x800000000000000011628733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:14.033{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:14.033{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEF1F3B4CD7842BB064BDE99C92349DA,SHA256=D5961E0257EFA7CE95D9095EBC9FF4069B1359E7B0864A9CE20071AF2FFF6CA1falsetrue 23542300x80000000000000003350124Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:14.089{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AA27818868DE786CEACD336B717214F,SHA256=877FF2688090EE2C0DDF489B87DD8B827AA36A6EFD8C9C89709FA52996D77488,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350123Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:14.088{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE6029ECD1D6F89E7F3760B7123F031A,SHA256=FD159046805FC1F189ADC0E3954503C07B5997FD6BD7CD8336A6D0A72E50F60A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:15.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:15.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5A1AA5C52296B2FC2F047216AF6FB2,SHA256=DFA761E16FC3E4CA7C4A4D15FCD67657EA50CB7AACEAEC5AC56FCC7893483E63falsetrue 354300x80000000000000003350127Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:02.167{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50126-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003350126Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:15.228{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22A8EF4EAE33B753156830AD118988D,SHA256=D6A6D38E05130660916FF60AD780BBD8D8D53A547207CE86EE377CC0FA8C4EF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.958{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD55226697D5A5FA3F84CA4014EB760F,SHA256=E5C7CEEC5AAF01700F26E55206297065889A8FF4E68D3F9EF4A31196E9F7D7DAfalsetrue 23542300x80000000000000003350128Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:16.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05AE2D99B8030FD8D8286AA05358267,SHA256=B5D5469184DA4740B1A7A659B82F58FF2F34AFF78B0E31A56B2F1241A9C5E93A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6296AC9FEF93FEA212005EA083D95B36,SHA256=2E38D6918E24C47166702AD36AC885C95B04ADD9202098094651258707CF576Dfalsetrue 11241100x800000000000000011628793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.640{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpset2021-09-14 16:18:16.640 11241100x800000000000000011628792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.640{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstore2021-09-14 16:18:16.640 11241100x800000000000000011628791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.640{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpset2021-09-14 16:18:16.640 11241100x800000000000000011628790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.640{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstore2021-09-14 16:18:16.640 11241100x800000000000000011628789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.640{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpset2021-09-14 16:18:16.640 11241100x800000000000000011628788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.640{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstore2021-09-14 16:18:16.640 11241100x800000000000000011628787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.640{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-track-digest256.vlpset2021-09-14 16:18:16.640 11241100x800000000000000011628786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.640{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-track-digest256.sbstore2021-09-14 16:18:16.640 11241100x800000000000000011628785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpset2021-09-14 16:18:16.624 11241100x800000000000000011628784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstore2021-09-14 16:18:16.624 11241100x800000000000000011628783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpset2021-09-14 16:18:16.624 11241100x800000000000000011628782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstore2021-09-14 16:18:16.624 11241100x800000000000000011628781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpset2021-09-14 16:18:16.624 11241100x800000000000000011628780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadata2021-09-14 16:18:16.624 11241100x800000000000000011628779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpset2021-09-14 16:18:16.624 11241100x800000000000000011628778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto.metadata2021-09-14 16:18:16.624 11241100x800000000000000011628777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpset2021-09-14 16:18:16.624 11241100x800000000000000011628776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto.metadata2021-09-14 16:18:16.624 11241100x800000000000000011628775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpset2021-09-14 16:18:16.624 11241100x800000000000000011628774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadata2021-09-14 16:18:16.624 11241100x800000000000000011628773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpset2021-09-14 16:18:16.624 11241100x800000000000000011628772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadata2021-09-14 16:18:16.624 11241100x800000000000000011628771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google42021-09-14 16:18:16.624 11241100x800000000000000011628770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.623{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpset2021-09-14 16:18:16.623 11241100x800000000000000011628769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.622{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstore2021-09-14 16:18:16.621 11241100x800000000000000011628768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.621{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpset2021-09-14 16:18:16.621 11241100x800000000000000011628767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.620{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstore2021-09-14 16:18:16.620 11241100x800000000000000011628766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.619{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashallow-digest256.vlpset2021-09-14 16:18:16.619 11241100x800000000000000011628765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.619{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashallow-digest256.sbstore2021-09-14 16:18:16.619 11241100x800000000000000011628764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flash-digest256.vlpset2021-09-14 16:18:16.603 11241100x800000000000000011628763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flash-digest256.sbstore2021-09-14 16:18:16.603 11241100x800000000000000011628762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\content-track-digest256.vlpset2021-09-14 16:18:16.603 11241100x800000000000000011628761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\content-track-digest256.sbstore2021-09-14 16:18:16.603 11241100x800000000000000011628760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpset2021-09-14 16:18:16.603 11241100x800000000000000011628759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstore2021-09-14 16:18:16.603 11241100x800000000000000011628758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flash-digest256.vlpset2021-09-14 16:18:16.603 11241100x800000000000000011628757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flash-digest256.sbstore2021-09-14 16:18:16.603 11241100x800000000000000011628756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpset2021-09-14 16:18:16.603 11241100x800000000000000011628755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstore2021-09-14 16:18:16.603 11241100x800000000000000011628754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpset2021-09-14 16:18:16.603 11241100x800000000000000011628753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstore2021-09-14 16:18:16.603 11241100x800000000000000011628752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\analytics-track-digest256.vlpset2021-09-14 16:18:16.603 11241100x800000000000000011628751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\analytics-track-digest256.sbstore2021-09-14 16:18:16.603 11241100x800000000000000011628750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpset2021-09-14 16:18:16.603 11241100x800000000000000011628749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstore2021-09-14 16:18:16.603 11241100x800000000000000011628748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.603{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\ads-track-digest256.vlpset2021-09-14 16:18:16.603 11241100x800000000000000011628747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.587{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\ads-track-digest256.sbstore2021-09-14 16:18:16.587 11241100x800000000000000011628746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.587{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating2021-09-14 16:18:16.587 12241200x800000000000000011628745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:18:16.556{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000011628744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:18:16.556{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000011628743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:18:16.556{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000011628742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FEB6243448F1B3C23F7B73043C950E2A,SHA256=4345BA31EF738DCB9A780C573D4005343B4E10E41FBC5C25CBD7C816DA970320falsetrue 23542300x80000000000000003350129Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:17.265{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B54F73E8B92CCF342FA0C6B1929248,SHA256=127F46741E368DE71C7526BFC48B4EEF8A23D1BA3CC9AC6F2EFB92CA2F59AEFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000011628870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.886{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=510DBE6F67223DC5455E6E4154A5ABA1,SHA256=EAE14BE97AEE2D07A23A3873E18A3B36C7B418FB5F7C246D3C545A3DE694CE64falsetrue 23542300x800000000000000011628869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.870{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=74B40F273A6747E9CE65CCBF8271C07D,SHA256=FB4D70D21CBA8D7CB9007D65FA14CD3C9B1174E1C021EEF0E6AADF9ECDBF137Cfalsetrue 23542300x800000000000000011628868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.870{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=2B389398AA165211D3266E5FCE7C4A1B,SHA256=D03AED95539ACF458EB2DCFAE019EE36FE15032E585CCE3E27AE6F9C2CE81CA2falsetrue 23542300x800000000000000011628867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.870{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=770D1830F8D6205E2C4F4803B793ED47,SHA256=F60ADE0662A50F1FD8DB63072A7334A25B65F787BCB5919D48F5553815DD786Afalsetrue 23542300x800000000000000011628866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.870{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=A22E116730EDC7AF2CCA43F01ED2287B,SHA256=8ABFC97A9A054898114283D995C9CE64B117E7F0341E41A59684A307F14DA4BDfalsetrue 23542300x800000000000000011628865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.870{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=3618696D4E539F97562A79C98543C1CD,SHA256=6A36AC5E5DD100E661DA8D21E24D4EE9A7F8CBD790B582751AC58AE747372192falsetrue 23542300x800000000000000011628864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.870{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=431A9D7F2CDFEAC0470A064901787C16,SHA256=2A5C6A47A86FD3D1FC267C287D10236BA97349083E7DFA67022AA99FF126BA71falsetrue 23542300x800000000000000011628863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.870{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=D4EC42A09329AF85B3C9A1C00EA2B908,SHA256=A3F3F2349DE8CA75AD8A464731DC17802A0DDD34BB1E3D4FAE83A674DB613CAFfalsetrue 23542300x800000000000000011628862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.870{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=C143402B1C4118ED7B00874BB55D3156,SHA256=681A0704C2C3DBDFB684A05706A01805E4A396ACFDA7D8D591E54237E4DEE64Afalsetrue 23542300x800000000000000011628861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.870{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=1904311EF938B38EA7286C04E0773792,SHA256=DF82CCF876F410906794D4550BA321E1D0C8A8B4D046F7EC9410F4468ED90820falsetrue 23542300x800000000000000011628860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.870{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BCfalsetrue 23542300x800000000000000011628859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.870{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0falsetrue 23542300x800000000000000011628858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.870{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=0C881FBABAA50CDCBDAFC8360DEACEB8,SHA256=39FC16902587BA9A7813098479D599D85308D7CCFE649D9609977CD6FD3DE0A2falsetrue 23542300x800000000000000011628857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.870{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=BBA9257B5114A73ABF07AE6F0EF05206,SHA256=C836974820A07C216746728058CB812AB85979BFD53EE81B6A045DB84DC76F67falsetrue 23542300x800000000000000011628856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.870{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=8BA3968328715A8907A4C291EC052068,SHA256=F930B64270E79ED6AAFBC784112678AC6D6626FF3B2181A3611D70C8DE4DF1B2falsetrue 354300x800000000000000011628855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:49.898{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49594-false172.217.14.234sea30s02-in-f10.1e100.net443https 354300x800000000000000011628854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:49.890{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63011- 354300x800000000000000011628853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:49.888{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49815- 23542300x800000000000000011628852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.786{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=D1F9F2217E975EBA28332F9ED7505A64,SHA256=2BE56FF27F36218BA0497AFDD5184DEE079E2050B635122E72EEED5BE539FECCfalsetrue 23542300x800000000000000011628851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.786{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=ACB69899EED83423BD18CD5EA544914C,SHA256=A6AA6F8DC25059F61A218B0F618309A330CE37A38D9BE60863FF3770A00B340Efalsetrue 23542300x800000000000000011628850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.786{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=3DCFB81E4C6AF8B91B2E6F5E9FF7B7B3,SHA256=361D546E489014D3A49AA908CAC2EC6EACE51256BC609587BF4B1805287BFB70falsetrue 23542300x800000000000000011628849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.786{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8falsetrue 23542300x800000000000000011628848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.786{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=DBDE3BAA15B0B56BE0910D8C92AA7CF5,SHA256=4CFBE9512EA828D348725E3555ADD870F27029159837F4890E6C01260D094009falsetrue 23542300x800000000000000011628847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.786{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=9873C9DE400BB8D646ECA821A39F7D64,SHA256=F12B09CBFB50ABD13ECF2BA88607CFAC16BBF13EC78DD75D891DC049D913DB40falsetrue 23542300x800000000000000011628846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.771{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=811E2082BA19DD16E99E59223A516103,SHA256=AB89FB45F1988532EA5C83B9D874E4376881189E92469223429E7164CE62A3CBfalsetrue 23542300x800000000000000011628845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.771{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1Efalsetrue 23542300x800000000000000011628844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5F83B0D6BA161602017AC27A96F3705B,SHA256=DB679CA27EE3FD9899E5DEF0384A3722FD19F4A23D8F35CDE1F3482E9642886Efalsetrue 23542300x800000000000000011628843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97falsetrue 23542300x800000000000000011628842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5falsetrue 23542300x800000000000000011628841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49falsetrue 23542300x800000000000000011628840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761falsetrue 23542300x800000000000000011628839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25falsetrue 23542300x800000000000000011628838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571Cfalsetrue 23542300x800000000000000011628837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=D3C79EEBD1FBF04B25D7E0D89796A366,SHA256=77CBCDF1F4FBF279888EF690AB6537A37271904F49F10A6B547B50CFB0A04A0Efalsetrue 23542300x800000000000000011628836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1122B8CAA1EE6AFCC8D9C705810B59DA,SHA256=389FB0D336133EEE3F98D97A725786A1191EE0E2BE2AE16458198724EB16DAE1falsetrue 23542300x800000000000000011628835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97Ffalsetrue 23542300x800000000000000011628834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722Cfalsetrue 23542300x800000000000000011628833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460falsetrue 23542300x800000000000000011628832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6Dfalsetrue 23542300x800000000000000011628831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=0A118F84489D0336500BA7AA28EEC3DB,SHA256=80CDBD62FAC86A30E13F3CAA31D8DC1BBFA458FF093CA3113DCF17FA09204493falsetrue 23542300x800000000000000011628830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.755{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=7108E87CAD9A9187F04E0DB62EE11BA2,SHA256=D3E981266944DC3516502147A13554BB1F413120FFB119EF7191073704AEBDE3falsetrue 23542300x800000000000000011628829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.739{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=12C155DD5E881352A0ACA1597315E4B4,SHA256=5EFE168A26228F9557DB8EEF6F128E6F2BC3CFCDBAAC5F1E54CA97980170DD62falsetrue 23542300x800000000000000011628828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.739{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E03E73D5F6ECD4CD32C3DC29D718D0CD,SHA256=E0EECABA3B9EF2ED989A88F166FBD18E87DCAE59C51EC0C8615EB181CDBD6875falsetrue 23542300x800000000000000011628827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.739{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=9029D6F8F6B542F8CC8BED031A868332,SHA256=B779ED2DDA6A823FC2E108105D90A5012357F0082973C164F86D95AED6E16573falsetrue 23542300x800000000000000011628826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.739{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=98E577C148A61351966CCDC96A865C91,SHA256=2A6127C1960DFB83F8F6D0B6EF099120B1BD858E432B56E7CA14F34B6986D989falsetrue 23542300x800000000000000011628825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.739{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7falsetrue 23542300x800000000000000011628824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.739{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761falsetrue 23542300x800000000000000011628823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.739{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=3A16652F3D7E909EEFB688780FB23DFB,SHA256=77E575221C7FB694A4D9FD39B1563AF193D1A6AF22C18DCFC77BB992B19B2BF9falsetrue 23542300x800000000000000011628822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.739{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E4AD5A04A5C7E1E2D01F8AD2F766BB15,SHA256=59DBC09166E7BA59B5CB02DF109991B71AD70418BA45595A9536A4758A630226falsetrue 11241100x800000000000000011628821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.724{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadata2021-09-14 16:18:16.624 23542300x800000000000000011628820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.724{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=811E2082BA19DD16E99E59223A516103,SHA256=AB89FB45F1988532EA5C83B9D874E4376881189E92469223429E7164CE62A3CBfalsetrue 11241100x800000000000000011628819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.724{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpset2021-09-14 16:18:17.724 23542300x800000000000000011628818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.724{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000011628817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.724{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpset2021-09-14 16:18:17.724 11241100x800000000000000011628816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.655{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadata2021-09-14 16:18:16.624 23542300x800000000000000011628815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.655{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=BBA9257B5114A73ABF07AE6F0EF05206,SHA256=C836974820A07C216746728058CB812AB85979BFD53EE81B6A045DB84DC76F67falsetrue 11241100x800000000000000011628814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.639{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpset2021-09-14 16:18:17.639 23542300x800000000000000011628813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.639{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000011628812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.639{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpset2021-09-14 16:18:17.639 11241100x800000000000000011628811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.639{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto.metadata2021-09-14 16:18:16.624 23542300x800000000000000011628810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.639{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=3DCFB81E4C6AF8B91B2E6F5E9FF7B7B3,SHA256=361D546E489014D3A49AA908CAC2EC6EACE51256BC609587BF4B1805287BFB70falsetrue 11241100x800000000000000011628809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.639{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpset2021-09-14 16:18:17.639 23542300x800000000000000011628808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.639{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000011628807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.639{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpset2021-09-14 16:18:17.639 11241100x800000000000000011628806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.624{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto.metadata2021-09-14 16:18:16.624 23542300x800000000000000011628805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.624{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=D1F9F2217E975EBA28332F9ED7505A64,SHA256=2BE56FF27F36218BA0497AFDD5184DEE079E2050B635122E72EEED5BE539FECCfalsetrue 11241100x800000000000000011628804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.589{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpset2021-09-14 16:18:17.588 23542300x800000000000000011628803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.589{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000011628802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.588{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpset2021-09-14 16:18:17.588 11241100x800000000000000011628801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5681193C19FA9386292B2C953E678C36,SHA256=1AE92AE774993AC865C10E5773EF7552B761555914A36F7D83A89E57E238E31Afalsetrue 11241100x800000000000000011628799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:17.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4587004E2D05F27EF231423FE653089A,SHA256=F97421D8FFBE47D588303288FB83BD8BE4F75936D31A8B3EACC1F2B841889A73falsetrue 10341000x80000000000000003350144Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.837{AEE49BD1-CB4A-6140-7CB8-01000000F101}58282692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350143Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.706{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CB4A-6140-7CB8-01000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350142Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.706{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350141Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.706{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350140Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.706{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350139Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.706{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350138Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.706{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350137Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.706{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350136Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.706{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350135Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.706{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350134Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.706{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350133Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.706{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-CB4A-6140-7CB8-01000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003350132Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.706{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CB4A-6140-7CB8-01000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003350131Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.700{AEE49BD1-CB4A-6140-7CB8-01000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003350130Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:18.283{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08CDA92E92E2C5B319FD00D94631D4B,SHA256=DEF96F61E2FF19716DCA44D1899BF9100C1015594D842EFAB0A0EF380ABEF0D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000011628877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:49.866{4DF467A6-4079-613A-86FA-00000000F001}5896safebrowsing.googleapis.com0172.217.14.234;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000011628876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:49.866{4DF467A6-4079-613A-86FA-00000000F001}5896safebrowsing.googleapis.com0::ffff:172.217.14.234;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000011628875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:18.403{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.js2021-09-14 16:18:18.403 23542300x800000000000000011628874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:18.403{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000011628873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:18.403{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.js2021-09-14 16:18:18.403 11241100x800000000000000011628872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:18.171{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:18.171{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1819FAF05CDDD36C8347169F372DD438,SHA256=25B83630EF0A4A4508994D6F94E234C4791C17971C7DB0236DC72A32FE1F07B6falsetrue 354300x80000000000000003350162Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:07.282{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50127-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000003350161Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.508{AEE49BD1-CB4B-6140-7DB8-01000000F101}60325072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350160Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.386{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CB4B-6140-7DB8-01000000F101}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350159Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.386{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350158Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.386{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350157Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.386{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350156Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.386{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350155Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.386{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350154Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.386{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350153Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.386{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350152Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.386{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350151Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.386{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350150Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.386{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-CB4B-6140-7DB8-01000000F101}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003350149Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.386{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CB4B-6140-7DB8-01000000F101}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003350148Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.371{AEE49BD1-CB4B-6140-7DB8-01000000F101}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003350147Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.308{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DEB301423D40494413B6FB0DEA9B63,SHA256=07AC7FF679473357FCFBAF5D72A013A809D7B32B9969110AFF16AD48FB213773,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011628882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:51.368{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49595-false10.0.1.12-8000- 11241100x800000000000000011628881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:19.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:19.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9191EA6A4935E456C75489AFEACAB7E0,SHA256=1909FC8278F698C0602954B437D66736C6B3618BA2E4AC6EBE52905FB04A6C51falsetrue 23542300x80000000000000003350146Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.223{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD4D8E0845F036603583788F9C404A6E,SHA256=7F37807BC7CBDEAE17108D48B9AE903F442DE9A831999C5E4AA9B9485FB491F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350145Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.223{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AA27818868DE786CEACD336B717214F,SHA256=877FF2688090EE2C0DDF489B87DD8B827AA36A6EFD8C9C89709FA52996D77488,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:19.042{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011628878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:19.042{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A055AE5BA07C197E6DE1D3901E59750,SHA256=58F3E9E03D411BD8CE1DADD6368FBDB91950361C3A7B7BB807C685C20AEC0F2Afalsetrue 23542300x80000000000000003350179Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.641{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C63F0CD6D518B174A94ED767C3EDF1,SHA256=B6D523BDB4EB9FE4EE815F57C943057D2927BBF51E81E555729550A901291175,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350178Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.641{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD4D8E0845F036603583788F9C404A6E,SHA256=7F37807BC7CBDEAE17108D48B9AE903F442DE9A831999C5E4AA9B9485FB491F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:20.193{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:20.193{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C13F917BFBB0AF1E0E801FB0B8DB62F,SHA256=646911E40BD65E272960E0899042A1EB51B90EABF678895115FA98B1D8F81FF2falsetrue 23542300x80000000000000003350177Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.240{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=649A1BA40965ED7EE226A4D9913016B0,SHA256=254B40183C332B37646F986A9732689CA54360E5AA932438A1111FF211ADD230,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000003350176Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.203{AEE49BD1-CB4C-6140-7EB8-01000000F101}23005856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350175Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.072{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CB4C-6140-7EB8-01000000F101}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350174Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.072{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350173Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.072{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350172Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.072{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350171Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.072{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350170Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.072{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350169Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.072{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350168Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.072{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350167Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.072{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350166Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.072{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350165Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.072{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-CB4C-6140-7EB8-01000000F101}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003350164Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.072{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CB4C-6140-7EB8-01000000F101}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003350163Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:20.057{AEE49BD1-CB4C-6140-7EB8-01000000F101}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003350180Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:21.644{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29822CB679B6A72810C7CCB3DFB1F14F,SHA256=CC8DF02A0DE9B7BD4EA6960E3028EF8924C88AB1DE842028E9CEBAAADEC99D5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011628890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:21.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:21.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A3BB1A5A5790DA0F147069B94C1D9678,SHA256=88FDDF7E26003C9681AEAD985DD41EFB35598607B7C80AC7F33E3013FD3B4267falsetrue 11241100x800000000000000011628888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:21.495{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:21.495{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1DDE2D8DF4372669B4A8222B118D0C36,SHA256=7F80227784ABBA1D6F087D5B8A99976FCD249325605EE977511F137722FDD8CBfalsetrue 11241100x800000000000000011628886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:21.196{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:21.196{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB92EC4E98406D442948490C6E74F969,SHA256=36ADD6B1CF26DF8C38703CFB6D92EA0FDF55925F5AFF385D0C76CF7239B564EBfalsetrue 23542300x80000000000000003350181Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:22.647{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B94D7E925BFB1DF21F2ABAC6A1A311,SHA256=585CC8DCD87397A9ADA9F8C27A6CB5E870CA4F773C98087284074012CA14CF7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000011628950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.735{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000011628949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.735{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011628948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.735{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011628947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.735{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011628946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.629{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011628945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.629{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011628944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011628943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000011628942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011628941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000011628940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011628939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011628938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011628937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011628936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011628935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011628934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011628933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011628932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011628931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011628930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011628929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011628928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011628927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011628926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011628925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011628924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011628923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011628922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011628921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011628920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011628919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011628918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011628917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011628916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011628915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011628914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011628913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011628912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011628911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011628910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000011628909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011628908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011628907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011628906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011628905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011628904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x800000000000000011628903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011628902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.613{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011628901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.598{4DF467A6-CB4E-6140-B7BF-01000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011628900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:22.597{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:22.597{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:22.597{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:22.597{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:22.597{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:22.597{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011628894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.212{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011628893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.212{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FDBDAB69C579B73FFD97A108A0CFD8,SHA256=31B90965BC232F98BFC131CEC34D5C89D32CB9062739EC2D8C2009F3036809FDfalsetrue 11241100x800000000000000011628892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.165{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011628891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:22.165{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=432F26D1F6A3D286E005E15485F1D540,SHA256=75ACE09A24978B2B0E9967204015F115E24A4F3A0F8FF2B0CA9211C1A5322DA3falsetrue 23542300x80000000000000003350182Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:23.682{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CB212E2102534BC9C3AD722220B552,SHA256=616D3F98570D310CCB97749F228B753F916F3404055B8BC896DECABA50DB71AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000011629059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011629058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011629057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011629056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011629055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011629054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011629053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011629052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011629051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011629050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011629049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011629048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011629047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011629046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011629045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011629044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011629043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011629042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011629041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011629040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011629039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011629038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011629037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011629036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011629035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011629034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011629033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011629032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011629031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011629030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011629029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011629028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011629027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011629026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011629025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011629024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011629023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011629022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011629021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011629020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000011629019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.984{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011629018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.984{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011629017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.969{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011629016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:23.969{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:23.969{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011629014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:23.969{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:23.969{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011629012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:23.969{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:23.969{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011629010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.615{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.615{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C44D12AD28668D30E6F722996F678CA6,SHA256=1F4E03C520BFFF30F14E9165CEE4F032FBF84B20C311E5054CE548B41A4BB5EDfalsetrue 11241100x800000000000000011629008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.467{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.467{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2DE6BD646FA22F760303EAD610A80DC,SHA256=3B12BA63A39648B8FCEDD7078E304CD4CB80001E7F33BDD734DBB1E3B20EAD35falsetrue 534500x800000000000000011629006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.436{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011629005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.435{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000011629004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.434{4DF467A6-CB4F-6140-B8BF-01000000F001}75483288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011629003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.434{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011629002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.433{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011629001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.314{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011629000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.314{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011628999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.314{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011628998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:23.314{4DF467A6-CB4F-6140-B8BF-01000000F001}7548\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011628997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.314{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011628996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011628995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011628994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011628993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011628992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011628991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011628990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011628989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011628988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011628987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011628986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011628985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011628984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011628983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011628982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011628981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011628980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011628979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011628978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011628977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011628976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011628975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011628974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011628973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011628972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011628971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011628970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011628969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011628968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011628967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011628966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011628965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011628964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011628963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011628962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011628961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011628960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000011628959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011628958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.299{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011628957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.284{4DF467A6-CB4F-6140-B8BF-01000000F001}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011628956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:23.283{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:23.283{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:23.283{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:23.283{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011628952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:23.283{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011628951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:23.283{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000003350183Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:24.684{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57EF33C6ED9EC7F656F8E654B7821637,SHA256=B8487C0FABD710ED8B7723B91976604D10B3C7FE1C063929506B0978FB06D21F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.970{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.970{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B1164D106141808AA768CF84FF2E074,SHA256=85D2F10520B1D2EC944C8D93D143637A5C2852467B42B8E16B8A57A342198B48falsetrue 534500x800000000000000011629129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.817{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x800000000000000011629128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.817{4DF467A6-CB50-6140-BABF-01000000F001}13883148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011629127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.817{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011629126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.817{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011629125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.697{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011629124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.697{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011629123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.697{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011629122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:24.697{4DF467A6-CB50-6140-BABF-01000000F001}1388\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000011629121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.697{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011629120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:24.697{4DF467A6-CB50-6140-BABF-01000000F001}1388\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000011629119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011629118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011629117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011629116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011629115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011629114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011629113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011629112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011629111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011629110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011629109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011629108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011629107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011629106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011629105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011629104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011629103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011629102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011629101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011629100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000011629099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011629098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011629097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011629096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011629095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011629094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011629093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011629092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011629091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011629090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011629089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011629088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000011629087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011629086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011629085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011629084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011629083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x800000000000000011629082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011629081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.682{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011629080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.667{4DF467A6-CB50-6140-BABF-01000000F001}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011629079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:24.666{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:24.666{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011629077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:24.666{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:24.666{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011629075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:24.666{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:24.666{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000011629073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.487{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-15493MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x800000000000000011629072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.486{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-154932021-09-14 16:18:24.486 11241100x800000000000000011629071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.485{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-154942021-09-14 16:18:24.485 11241100x800000000000000011629070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.300{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.300{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466D0BD0DD5DFFE5CAB376073294F9C1,SHA256=B411991F057E19B55E198D7280FFF646BA00C38063BAA3517E03D8476B28A651falsetrue 11241100x800000000000000011629068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BDED0D000528EF94D932ADDF1B2D6A,SHA256=9D9CF9C1C62EFFABD612FA38C13D66FDFBCAC93C4CDE8314850B11678A9F1218falsetrue 534500x800000000000000011629066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.115{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000011629065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.115{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000011629064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.115{4DF467A6-CB4F-6140-B9BF-01000000F001}6484292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011629063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.115{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011629062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.115{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011629061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011629060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:23.985{4DF467A6-CB4F-6140-B9BF-01000000F001}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 23542300x80000000000000003350185Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:25.687{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E8C04698E4E800779226CC82A7F2BD,SHA256=182F09F0F747C99CEFA0F226318B4A3D97E5BA86840A0288B17299E8872D2190,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000011629192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.501{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000011629191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.501{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000011629190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.501{4DF467A6-CB51-6140-BBBF-01000000F001}31122892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011629189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.501{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011629188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.501{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x800000000000000011629187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.488{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-15494MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x800000000000000011629186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.387{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.387{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E305CCA734635DFE60FAF16FBA1B2499,SHA256=95580EBA9E54E4AE3E84DDD171AFC752626AF6B74D8C0C7FDAB6628983A3F628falsetrue 734700x800000000000000011629184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.387{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011629183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.387{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011629182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.387{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011629181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000011629180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011629179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000011629178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011629177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011629176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011629175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011629174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011629173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011629172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011629171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011629170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011629169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011629168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011629167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011629166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011629165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011629164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011629163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011629162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011629161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011629160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011629159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011629158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011629157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011629156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011629155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011629154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011629153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011629152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011629151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011629150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011629149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011629148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000011629147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000011629146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011629145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011629144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011629143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011629142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x800000000000000011629141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011629140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.372{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011629139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:25.357{4DF467A6-CB51-6140-BBBF-01000000F001}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011629138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:25.356{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:25.356{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011629136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:25.356{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:25.356{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011629134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:25.356{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:25.356{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000003350184Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:25.455{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E87456119683ED7B3B5689363ABAF09B,SHA256=34F8C1AA164FD5CE639892B583AEB10C3DF9E4B9BC8D7F3BD557AAEC818775B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011629132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:17:56.395{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49596-false10.0.1.12-8000- 23542300x80000000000000003350187Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:26.690{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA044CDE7A93B1FBDCF640AD5CAE63A6,SHA256=E4809F72A965D83F5912494284BF09D1EC9EBBE9377DEABA861F0FF3FBC5B7E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000011629318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.888{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000011629317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.888{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011629316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.888{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011629315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.888{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011629314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.773{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011629313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.773{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011629312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.773{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011629311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:26.773{4DF467A6-CB52-6140-BDBF-01000000F001}6056\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000011629310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.773{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011629309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:26.773{4DF467A6-CB52-6140-BDBF-01000000F001}6056\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000011629308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.773{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011629307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.773{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011629306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.773{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011629305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011629304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011629303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011629302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011629301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011629300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011629299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x800000000000000011629298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011629297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011629296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011629295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011629294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011629293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011629292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011629291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011629290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011629289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011629288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011629287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011629286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011629285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000011629284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011629283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011629282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011629281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000011629280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011629279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011629278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011629277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000011629276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011629275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011629274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011629273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011629272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x800000000000000011629271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011629270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.757{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011629269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.749{4DF467A6-CB52-6140-BDBF-01000000F001}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011629268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:26.741{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:26.741{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011629266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:26.741{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:26.741{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011629264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:26.741{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:26.741{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000011629262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=62CF4F644EEE342BDDE798308D58DF1D,SHA256=EC6EF66793225391A2AD28E12F17BC9727372FB24E01B4532585227B4E461D25falsetrue 11241100x800000000000000011629260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.537{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.537{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DAE3AA592177732FFA49C5D48D75A1,SHA256=78E7AF3A4ED9898BC73F7FB6F96EC53FD28657DE78FA53A074EBA37384BCCCBEfalsetrue 11241100x800000000000000011629258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.504{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.504{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=282BB5E4DEECF0AF897DA2C17CE07F3E,SHA256=3BA8372A7A3EAF9D20BF42102CA1E86D80277164CC83CAD09D37770F0D1607AAfalsetrue 11241100x800000000000000011629256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.504{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.504{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DEE854708D2E95336A9C8036BD5240,SHA256=0ACF8ECDD12CB77E98CC3346444540398EA3E34CD51247602C55772ADA97951Dfalsetrue 11241100x800000000000000011629254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.504{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.504{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2880ACB407FA69B2ECBB5182F37AC720,SHA256=BCBC1AEE22554221B5A9822978F01F7ED28094A9B8004B2D82D9A7280A84E6C9falsetrue 354300x80000000000000003350186Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:13.298{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50128-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x800000000000000011629252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.205{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000011629251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.205{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000011629250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.205{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000011629249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.205{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000011629248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.089{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000011629247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.089{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000011629246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.089{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000011629245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:26.089{4DF467A6-CB52-6140-BCBF-01000000F001}6440\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000011629244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.089{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000011629243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:26.089{4DF467A6-CB52-6140-BCBF-01000000F001}6440\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000011629242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.089{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000011629241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000011629240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000011629239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000011629238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000011629237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000011629236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000011629235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000011629234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000011629233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000011629232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000011629231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000011629230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000011629229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000011629228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000011629227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000011629226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000011629225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000011629224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000011629223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000011629222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000011629221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000011629220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000011629219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000011629218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000011629217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000011629216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000011629215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000011629214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000011629213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000011629212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000011629211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000011629210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000011629209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000011629208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000011629207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000011629206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000011629205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000011629204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000011629203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000011629202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x800000000000000011629201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000011629200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.073{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000011629199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:26.058{4DF467A6-CB52-6140-BCBF-01000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000011629198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:26.058{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:26.058{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011629196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:26.058{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:26.058{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000011629194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-14 16:18:26.058{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000011629193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-14 16:18:26.058{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000003350188Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:27.709{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23C91E6E310F41F7C00C061AA8FFF33,SHA256=E8D84E899EC86CF484664DD62D862AD3A0B39AC15C9A87BC1493DB511208D81E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:27.790{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:27.790{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEC0A78A6FB3B51AB0B989C306AB49EE,SHA256=84C0EF765EF0C4D54679E23FEEF6219CA3B92F97D1C8D4560FEE5D29330B103Dfalsetrue 11241100x800000000000000011629322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:27.538{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:27.538{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8804686295BC8ED12FE8F1A07DD1C52,SHA256=EAD1745640FF71F30E2A7E6DACBB4589028F9406FE615FCAF9B8969EFA244C36falsetrue 11241100x800000000000000011629320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:27.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:27.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=789044A06273458E74E18B24F0C83C77,SHA256=F9D00872F1D05F4242AC5BCFF00A1D8510A818215466CBDC084C7D21A4362021falsetrue 23542300x80000000000000003350189Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:28.734{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B31C69C02A754FD0F95CCE2B6320480,SHA256=2F845D7A13901BE18C4748DF51280CB10D9A7EE423C8EB8731921AFF9DB53B3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:28.543{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:28.542{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53855BAB23D25D4A65460886BD193AD,SHA256=5548E7446F41E15177FFD5ADCDD755D60E28D415EE6673AB2981FCC60CD3B88Ffalsetrue 23542300x80000000000000003350190Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:29.752{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694E4D960A426135D2FCBAC7A753D0F6,SHA256=D52405B1DBCDE77BDF87287B1E33B8637B2BBD8A0C6E40F022FE906EABE002E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:29.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:29.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7585CAF560766BF28A98CAF1DA9CF2,SHA256=707D695B4CF620DD0881F23308FADF30B6D944E674CCEC009E334C29ECBF0310falsetrue 11241100x800000000000000011629328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:29.244{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:29.244{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=989D155FFA8590CDF1D198797BCA2FCA,SHA256=039182452C8BE4948B7067FC392BA5C2E4B05A600A6B81F05CB8AD63EAADA916falsetrue 23542300x80000000000000003350191Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:30.786{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C14E27094711DADFFBA48E134ADCCBE,SHA256=49D0BEAEBFE621B752FEC84DCC71431D3ABF3C1EA72F3C46C3AB16C5B4803017,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:30.583{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:30.583{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFFBA488B91FD3A1CF6E30A3A144B99,SHA256=1855105EB8A0604D878E27AF973D68D0BF2924536B8934E4C9060C23F1FB1FA5falsetrue 23542300x80000000000000003350194Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:31.820{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4915AE8DBD8E19201391F5482940F8B0,SHA256=473EDF8A70F5E5DA2B5D1A55103C39B30661238AF31FC1C430CDC9F1BA043A4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:31.753{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:31.753{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=392B279AFF1B57E9A764782629A1E828,SHA256=D686A6C23CEA5646393F249719871066B18192FBF46859A36B70B3F34F652491falsetrue 11241100x800000000000000011629337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:31.600{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:31.600{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25FCEE1D713A3F6DCCBB124BF9D433F5,SHA256=C39EBA62FA2AA2A2888CE7FEB38183AF94356807B93B5988D61D15680BA34F77falsetrue 23542300x80000000000000003350193Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:31.404{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEE2E440C5E29DB4E1EBAE1BBC14B054,SHA256=2CA755E56E4E6F2101CA31B3BEAB277BD13E51E49A0CDC082CEF830488B1A0A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350192Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:31.404{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D57A9A1E99299582B885A67521E524F5,SHA256=84A681C4F08875DFB911706D56E285F2EE83580BEACB0CF71E1BC1D934E778A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:31.369{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:31.369{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6BDBBD0D3A4BEE4832BE3CCD763B89FE,SHA256=22E151DEB92F7E1CFA6A77FA4B69C7A47A46242D32A2EF711D7FAAA2A44884CDfalsetrue 354300x800000000000000011629333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:01.550{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49597-false10.0.1.12-8000- 10341000x80000000000000003350225Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350224Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350223Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350222Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350221Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350220Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350219Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350218Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350217Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350216Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350215Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350214Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350213Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350212Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350211Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350210Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350209Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350208Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350207Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350206Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350205Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350204Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350203Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350202Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350201Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350200Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350199Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350198Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350197Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.923{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000003350196Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:32.822{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA09E9249991B9F569FAC69882B8ADA,SHA256=5FD3860E63EFD2EB48D55029F5E296E27B37310F023373BD9D737B634EFE4B71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:32.602{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:32.602{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4E76E75D156BF375C48D32F234F5FB,SHA256=B43A36ADC2D38054A5D98EF547CDE90FC6A73921BC844574C3E7F7F6EF09A4E3falsetrue 354300x80000000000000003350195Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:19.265{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50129-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000011629341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:32.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:32.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4BEDD3459C4760378B8F7C119C0699C2,SHA256=338EF471F3FB5EAC745C87932637D8FC3E1C7A29AFC36E602CA04F17BBDD9EF0falsetrue 11241100x800000000000000011629345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:33.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:33.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769EF380EF14577E2BC7FC1872E998DC,SHA256=DA555B5508C9F1436C763909637D6C5D5BAD3055E5F44515250F2B1DA804B9CAfalsetrue 11241100x800000000000000011629347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:34.624{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:34.624{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F374EF77904491935C841AB8A60E7BED,SHA256=CC2929096C0B6DAAA5FBB8B3207068D80BD4D1D7F82177B6A15CABCA55AF4BF0falsetrue 10341000x80000000000000003350239Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:34.727{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CB5A-6140-7FB8-01000000F101}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350238Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:34.727{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350237Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:34.727{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350236Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:34.727{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350235Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:34.727{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350234Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:34.727{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350233Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:34.727{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350232Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:34.727{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350231Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:34.727{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350230Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:34.727{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350229Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:34.727{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-CB5A-6140-7FB8-01000000F101}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003350228Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:34.727{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CB5A-6140-7FB8-01000000F101}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003350227Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:34.712{AEE49BD1-CB5A-6140-7FB8-01000000F101}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003350226Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:34.242{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E62791FCFA7A201372EFDDF0FC72235,SHA256=026D6621FD4A53CE45473011C7D573514F58CB31157499E7FE1FD98955A0DE6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:35.626{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:35.626{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55790A1848CEF0D7BDDBA5073C0A1F35,SHA256=1D7D228A13E855A46639159133FC67E0DC1C285051BE7C094E7F8484C13FCD25falsetrue 23542300x80000000000000003350241Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:35.783{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEE2E440C5E29DB4E1EBAE1BBC14B054,SHA256=2CA755E56E4E6F2101CA31B3BEAB277BD13E51E49A0CDC082CEF830488B1A0A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350240Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:35.282{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A515612D127AFD740CB9E818C42C49,SHA256=63791B121CF65629D307302387507FE53F3B71D55F5CC32482D63F4B3D62E8CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:35.160{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:35.160{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEAF27101BF4935FB5B6FF91BB3F4018,SHA256=D27896B0B8B2A21368CF3C469161A63CE43F678055072DE7D7424A001AB63B20falsetrue 11241100x800000000000000011629349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:35.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:35.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4748AF4A3EFC1EB19E1EE84DCCE06F75,SHA256=2C3370F1787F83F245F3A38DF9240EE3DDE447BD4280A5D2DA1EB69E7C7F8BEBfalsetrue 11241100x800000000000000011629360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:36.797{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:36.797{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3592034084F04305CFEF74A116455119,SHA256=55E74E70A482B65F174062C7A602DA0A2E7C06AAA0A77541A1684C9D3B731315falsetrue 11241100x800000000000000011629358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:36.628{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:36.628{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5191770015DA137631740CC69782EEF,SHA256=2FBCBDFFF03680B6E636D38CE2122662287DBAABC1F6796AFAB0FB1D9C670C96falsetrue 23542300x80000000000000003350242Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:36.285{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7801C40E8630A7159C9FB816F23844,SHA256=3BE0936002F7777A1DBC9CC7800699F03DE226FB280B44EF563C1DEA3B7D93A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:36.481{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:36.481{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C1A1D07B484943E727A5993B88FFF2D4,SHA256=B0648962EFF3E7174472EA6EF9583F1EEE2BA1B14319754FF3C006678E781557falsetrue 354300x800000000000000011629354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:07.483{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49598-false10.0.1.12-8000- 11241100x800000000000000011629364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:37.646{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:37.646{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0D4ED49255EF7D4046A5FB104F0373,SHA256=34855D95BF13CA01F1F9F5EE6C8D2457CD316BADC6913C41871C7697E96C9E54falsetrue 354300x80000000000000003350245Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:25.130{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50130-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003350244Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:37.288{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2DC4F2A71A8A0F90FCCEF474EB36EAA,SHA256=3278A04F76DAB820B98ADC08DD18C1CB2204570032AD7131B02672B78958783B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:37.298{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:37.298{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=060A742C408A6E538051259D7B3F8255,SHA256=EFECF502D384535787D38C9C821FFF877DDBEE56995D3DF4574435B84408B7E5falsetrue 23542300x80000000000000003350243Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:37.054{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC955A63D1B9B8ABC495577A918A521D,SHA256=264F93836315A89D81BE1D66FA0A79E652202E16CC07A22C1F1F7694FB68A3F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:38.648{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:38.648{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C9101BA1DA146EC6704159019D3BF0,SHA256=154815C59926902994F709597DE7FD9D38383266155B19A6B89A0F49F057FC9Ffalsetrue 23542300x80000000000000003350246Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:38.358{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1A408A924AA28D672BC1B1F45C6BE5,SHA256=2A920A7699D74CF5BD5360509E57BBB840DC774AAF555A159716B53020127552,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:39.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:39.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4932A4AFAAF4FA864BB117D5599CFAD,SHA256=AE6E6D108BA24E73514612EF6D27F24BB6B251310B6D393DC96C5C263C7AB80Efalsetrue 23542300x80000000000000003350247Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:39.378{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2612E962C4A440F4EC628A205899DDC6,SHA256=966A39C83E44B1253EDDDAAC5A7A0BC00F425B54896BE9A563F543BB9D154609,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:40.691{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:40.691{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3DE455836BC9A22AF748374E693720,SHA256=A4DB266A1209EFFD66861B532CCADCADFADAEE36A0A635B1666A871D16307B0Bfalsetrue 23542300x80000000000000003350248Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:40.381{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19CCC0BBA2D393A21E4AD3B4EA5F8B9,SHA256=F498212E2E5D2D19DD9846A3BE3BD864802F3743451E0A1725BEE99DAEB81C60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350249Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:41.416{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BDAD2BB3543543527F56FF495714C2,SHA256=6864BB786CB97D3EF6C759B4FE2B6C89BF2B7B8129046F0D91FD0F44ADAEC1E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:41.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:41.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2915E47C1D2DAD3C8F23939415FAB4CA,SHA256=B2038A1A491722DDFA79C67352A071618AEAF8B75113B5A804F85B7829ED0C02falsetrue 11241100x800000000000000011629378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:41.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:41.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A9142EB2898479762759F522C07CD6,SHA256=770125A7552CCC947C08238FBCE41BAFCDA0541E914E1BF8071562D6A600B0CDfalsetrue 11241100x800000000000000011629376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:41.525{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:41.525{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1AB4B7335A0A17FBE69444F6232EB375,SHA256=B91515CC9EFCC701174B86E23614EDB63C5DBEF97716E76F5C8AEC62695853C1falsetrue 11241100x800000000000000011629374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:41.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:41.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1D09A32591471180EBCA1F25CD5C335,SHA256=1C8AB0CBC12634232F5A88F36CB2FFB64AAB831530F240D5AB4B463B314D7D25falsetrue 11241100x800000000000000011629372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:41.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:41.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEAF27101BF4935FB5B6FF91BB3F4018,SHA256=D27896B0B8B2A21368CF3C469161A63CE43F678055072DE7D7424A001AB63B20falsetrue 11241100x800000000000000011629385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:42.744{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:42.744{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA225010D52D68818AA694D25CC5F71,SHA256=41BD2B8D610CB25F7BBCDC969E7FFCCB2872A321E4D93AB3E29EE39066653620falsetrue 23542300x80000000000000003350250Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:42.450{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A08BABB612859113EFC9C94F4A5391,SHA256=0B15668A7597FBDEDC715967CB7AD66AFC5CA480F8EB9053A3B1C93AB201420F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:42.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:42.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CDD4AF8C5316D07FD592642E40F1D5A0,SHA256=AF55A77E58F5C62D4F10397C1D248ED8E608E3A9682217A07915D7B746C4DBF3falsetrue 354300x800000000000000011629381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:13.448{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49599-false10.0.1.12-8000- 11241100x800000000000000011629391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:43.747{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:43.747{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74B4085E49AE77A0661147510A7A869,SHA256=45B0882289E01C7D9490BDC4DC88E8DA7E8DAE44F0FFE31B48DAA4742E65500Dfalsetrue 23542300x80000000000000003350253Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:43.452{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A360EA5F95D9B06C30A1C4C387AA9B6,SHA256=FB750AC4FB7D5A524FFDFA24CF805E69E93CE4C165DDCE69A041B1CDAFCB8D9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:43.631{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:43.631{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1D09A32591471180EBCA1F25CD5C335,SHA256=1C8AB0CBC12634232F5A88F36CB2FFB64AAB831530F240D5AB4B463B314D7D25falsetrue 11241100x800000000000000011629387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:43.415{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x800000000000000011629386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:43.415{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 23542300x80000000000000003350252Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:43.020{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=091694A2D37DA053FB999F3787D74AD0,SHA256=3A8EC49740B6A081A335C8FA144FE569B21073DEE2D815704F1340CB85FF99C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350251Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:43.020{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD6B7BE41A64DA82F2EA55EB538ED269,SHA256=0FD9165EF2FB7F1ACC459F1EC7C595492A25B550D397C1E2A572473FDE133216,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:44.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:44.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF02F40C670BC1ED6257D33025AA97D8,SHA256=0CEB96C6D8D7E0FFEDCEC849BA7A2F1C738AA0144BAE8A445AD56706CEEC226Dfalsetrue 354300x80000000000000003350255Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:31.098{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50131-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003350254Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:44.472{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8952D453F20FAF1700472E9D07B08E8,SHA256=0E487A26A69BDAA77DE5CE91D63ABB57AAEE162E7B29F8E22CA7BD4C7DFCB35A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350256Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:45.480{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13356E1C7CE19BD8893BC021197682D2,SHA256=0CC63FAB4CC8A39CDA263B2E1FE9A60F1E0FA5AF56BF4A74A503AD4810C04394,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:45.769{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:45.769{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A30D0B01554EB0289287AEA5E8A14D,SHA256=7D0A4827A089C07EFC37A3C15DC089A1736ABC19A33D42A96276A7EBF48B5098falsetrue 354300x800000000000000011629394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:16.727{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49600-false10.0.1.12-8089- 11241100x800000000000000011629404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:46.908{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:46.908{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=10F716A2DBEC4C04AC3FF124DB792AE1,SHA256=85174EAB7C537BA2D7C65B962DAE2F795B3FB2234851133F4C238E0AB6CA52C4falsetrue 11241100x800000000000000011629402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:46.824{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:46.824{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A56052BAA652723A6A5EDEA1B6FE5EA,SHA256=5B9F9E97C4143F060AED91A185E2B0B368B8CC65146B1C80537DA3337EEE0063falsetrue 23542300x80000000000000003350257Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:46.499{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C350AF7799DCCBA52F0EBE9BD1C0173,SHA256=650FEB08A4DE71890AA4CA7D75F59F8A9074EB71EEE34CFF720FB1AE96851A60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:46.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:46.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=944F3112F0653FA81B75BC1985A8330F,SHA256=6E9882EF4081E074A0AC0FC2521E7DCF1274AD54B6C89A55D927931613F63356falsetrue 11241100x800000000000000011629398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:46.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:46.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE55DEFED57392A7E405555012EE41B0,SHA256=4067B317827D50D606843CCAD398A6B552408225F3193613DD66D359811A37E7falsetrue 11241100x800000000000000011629409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:47.842{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:47.842{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE637385574FC488AB59556E63099BD,SHA256=A91ABD69A3EEFD5A3D7F615BFFD7564D55FA0610A41E622A82B5A34B8552847Dfalsetrue 23542300x80000000000000003350258Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:47.502{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9D37A9F3D39BF0E97A5CEBDA47D7F3,SHA256=07DC4BFE3CF1D6ED131FF8E6A6589A2FE2BA1FEE0CE2482683A1A1F312BC75AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:47.393{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:47.392{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=87FAD8187F888051DF97FE6031DB896C,SHA256=C3D1413EE3F2D51D1188FF88D968FB4D2EE8B1FA1A0F3C27D0C3E5312627016Efalsetrue 354300x800000000000000011629405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:18.532{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49601-false10.0.1.12-8000- 11241100x800000000000000011629413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:48.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:48.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2492B3E55D1FED8F91B2EBA07B61F4BF,SHA256=8888F541A2931042AE93E58E0169665F6BE8ACC0F718D87DB2C295EBEACAB646falsetrue 354300x80000000000000003350262Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:36.159{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50132-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003350261Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:48.505{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D6A46E0E6BD0006B9621C642A501F3,SHA256=720866317A98F2C0C2D01745C64052B5F74B03B2DC1018B78D0B0EEE596097EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:48.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:48.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0940C057A6865C4687161273BFFF06CD,SHA256=2943DE727C079BC122F7663F094E60082DD28EC8B6A2858B414BD74CF77D7565falsetrue 23542300x80000000000000003350260Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:48.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5FA872FE8D64CE2C2D9918A4DFA2EDC,SHA256=8CCC7BE5A9618A2D2E9D63F834AB6AC6BA20BB67637F05B6AECD4F3A9606C729,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350259Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:48.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=091694A2D37DA053FB999F3787D74AD0,SHA256=3A8EC49740B6A081A335C8FA144FE569B21073DEE2D815704F1340CB85FF99C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:49.847{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:49.847{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B0C96B8A552C0EC689530EF5A7E224,SHA256=D7414EC0B0C31CA2F66D6E343737A5C94D53598C0131536F607A3628A67FEB6Dfalsetrue 23542300x80000000000000003350263Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:49.508{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E844EE86E985F6F274AD751CBBA649,SHA256=2105BDCDD40BBF5CCB907FAAE8A57212E2074E5E6F2B2AEA03D0458C7A24063C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:50.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:50.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835C3A0D59497ABBFC5309339FB502F5,SHA256=496D080A60E82F52D74D9B585EFCC4AB297C2246224F45635A5A9E274578075Ffalsetrue 23542300x80000000000000003350264Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:50.511{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D06AB42D8E047D135F637E27DAB595C,SHA256=EB843538D6E4C2CD51B720D7F980829AB39B65E7E507BBC8517D6AB1FE04D96C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:51.853{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:51.853{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3083805A03F90D3D175E4AC94E9F28C7,SHA256=B3F8A4E6EFA4794825306DAFB23F8FDE6B37BD7D6C02D510821DFC76D9A222F8falsetrue 23542300x80000000000000003350265Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:51.513{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3275D88002C9A9A1FE9CAC29937BD2D5,SHA256=426370C18E3E19EB50553FCCF75EA05FFB224CECD8138CC01C7D2EC64449E4FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:51.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:51.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1FB65E327FF247186D53B590C1CBE6DF,SHA256=45740484A095E7844673F731E7D332CC933F10508E6A2096ED08104EA822B866falsetrue 11241100x800000000000000011629429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:52.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:52.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139312A711DC56113AD6205B8D924181,SHA256=BCC9D51B421E016DBA5595A239A865709E4D381E56E240BF3EBBE10E4F09BB05falsetrue 23542300x80000000000000003350267Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:52.818{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-15486MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350266Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:52.516{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFC7E2D426652CB0BF59F1B3987EF3E,SHA256=09531E2EB43A95E32C1F9F573293612FF906E3C3141AF5A3F2AF1D7C69B745FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:52.438{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:52.438{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D3AB338A0501F4B59BD0196856B50A00,SHA256=CAE6145F9E5931F324ECC3017EE8C3412EBCA4F267B1B96194F5FE5A5ADFBEF8falsetrue 11241100x800000000000000011629425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:52.202{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:52.202{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=002A3321DD7CEC6826C5D7D4509B39DF,SHA256=F8B475D2A78A999102045B215699A83D954F9F3138CC2A53CDA6A237C96B8F77falsetrue 11241100x800000000000000011629423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:52.005{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:52.005{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=86C8EF76C3452CE0C00AA58F8876704B,SHA256=4B52671A614CCBC582DF62C5398E1E42DA95360B5814E4CA4F2A373B1E401D4Efalsetrue 11241100x800000000000000011629432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:53.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:53.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7944E0B7DBF763CFC0ED95D9E09B1795,SHA256=86BC67B891F611FEC5295F78A12684F477860F36737B8B6E694A13ADF7FA4EF0falsetrue 354300x80000000000000003350272Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:41.227{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50133-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003350271Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:53.820{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-15487MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350270Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:53.519{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098557F20CB758DB685E7BAE0F0E1E3C,SHA256=D74B6E631C559C44752CFE606A80E7C35C74419D8945E49B3F23EB844CF07E61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011629430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:24.525{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49602-false10.0.1.12-8000- 23542300x80000000000000003350269Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:53.149{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3607032B9CDE6E6BBA5409393B23AA62,SHA256=70FCCBE710D648A3C42DB1A6002537D581C931FBAF8347BFC31C43A02B0EDFE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350268Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:53.149{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5FA872FE8D64CE2C2D9918A4DFA2EDC,SHA256=8CCC7BE5A9618A2D2E9D63F834AB6AC6BA20BB67637F05B6AECD4F3A9606C729,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:54.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:54.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB39B55402BE3CBDA25925C09453B91,SHA256=745D36A02BCB3F620758FD8F76F3513A4BBD58E79C74D70C64BF6B0767794EF8falsetrue 23542300x80000000000000003350273Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:54.538{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6676D2563798F69D2A4213B0DAA475C,SHA256=DA832C2BCF78B4F6B133305D0127A8673555CF7384C6B475FCAD161C3B2B811C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:55.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:55.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD4ED9A61E0297BBA0B734237C20540,SHA256=D9085F820D6EA4A13D269EEE1CCF59772FBB82F6B87257540849697E0DBA23E8falsetrue 23542300x80000000000000003350274Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:55.541{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EA1D5DD9FC95D3CDD226E7CA857D58,SHA256=FF69167FC86EF017A4F3278F0D132580B9337E022109FF6770463B29FE0E0DEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000011629436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:18:55.092{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000011629435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-14 16:18:55.092{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x800000000000000011629446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:56.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:56.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F69405DA8802F747FC8704BECC59DE,SHA256=BF491CBE09FD24D6A1D140B417F55F8327B0756AADEF5FCBE6567A592D061863falsetrue 23542300x80000000000000003350275Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:56.544{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9183E3FBCF058F87C25F3A97C57DA032,SHA256=141982362AB5387ED332A675147539F3909795C490C2DA0935FA042DEE9EFA29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:56.579{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:56.579{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5FF3CA432BC62EB73A75B00C2918966F,SHA256=E61BF502DAE311432B05B95D1D3371794F535583D93E70A79F8BE5034DE50A26falsetrue 11241100x800000000000000011629442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:56.294{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x800000000000000011629441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:56.294{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E6FF98F12E8596E0059CDC0A684A9070,SHA256=BB440F0ECE886155185CABA3F1F55778338385AD8313D0352763B16D7F691392falsetrue 11241100x800000000000000011629440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:56.094{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:56.094{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9542962F4C8EE09E705DF10F5F5FCDB9,SHA256=E15DD939A553317645C0A9B270C9BA4CD725D0E2EFE163D2DFE1B5C6CDAD7C7Dfalsetrue 11241100x800000000000000011629454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:57.967{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:57.967{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B48DA8388352516EC8B297C88CC786,SHA256=84FB543DD3CE6FFFE2CCD0018F69E98B0C5DCC6FAF0F806948C7CB48BCB7D1DBfalsetrue 23542300x80000000000000003350276Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:57.547{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B5AB7FED720723584C22C1DD68DC9A,SHA256=D272F0AA424344A93C6C0984E4FCA7CA1ACCC97228540F344D71E0407C140E9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:57.481{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:57.481{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=74622D88AE11E22C619A3C646F178585,SHA256=2B7B138A69F0D02BD50D225203B85526915E3A7E3E2CF6847EE7FF8D68E39971falsetrue 11241100x800000000000000011629450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:57.180{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:57.180{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F81A7566C1BB321103B3ED40976B12D7,SHA256=923873EE988F29FBDD466C16CE189B86926EAEB2249A73126228ED91BA799CB7falsetrue 354300x800000000000000011629448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:28.419{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49603-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x800000000000000011629447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:28.419{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49603-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 23542300x80000000000000003350277Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:58.550{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E1E12138FD0A59995824C7C372FCCF,SHA256=DCD0297A1D6308C8EC7B7D99B2770FEC930ABDC716E0FBAA60DFBC360D50F64B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:58.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x800000000000000011629455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:58.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=928775D080F6E3E9C972EC42AC979CCE,SHA256=F0901E90A43FFFB4AE1A51AD0A547E2220CCE9FF8E1E9CCD94F4C032F5E82421falsetrue 23542300x80000000000000003350280Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:59.553{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584621DF640B823B52EEEEE655AD58D1,SHA256=5BEBB2C3128A394A9DED6B0A478FE3E73FD99F14148D8E4E79A6F29D77642410,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000011629459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:30.523{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49604-false10.0.1.12-8000- 11241100x800000000000000011629458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:59.019{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:18:59.019{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1360E4D05A7B2471F721AA512B279715,SHA256=FB7F30CA17D448A7ED1D1D72C116A3CE2C6AA3922EA73EE0B30559C729933C99falsetrue 23542300x80000000000000003350279Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:59.016{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59D2BF60A1E73C4D25CB0EC44A86A2E9,SHA256=7413E95BBDC6C6D50CAB7D698E9C663334AD6BD8FEFD7C738986E4CD3EB88B7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350278Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:59.015{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3607032B9CDE6E6BBA5409393B23AA62,SHA256=70FCCBE710D648A3C42DB1A6002537D581C931FBAF8347BFC31C43A02B0EDFE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000003350282Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:00.556{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37216C94D2F65265F29BBE0D2411968,SHA256=B140D0A9AE7CCB65CEAFFAE9BAB60C3434BB0D5E05FAAD18FD652E24F24877FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:19:00.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:19:00.025{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCA2ADD7E4DF430992A6D112811EA58,SHA256=DCB54D72DED0364F383A13207E3199056ACC50DFB085DA4AE3F44C5574A1A90Efalsetrue 354300x80000000000000003350281Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:18:47.093{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local50134-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000003350283Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:01.558{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3446A0C6C48FA8636D5D73E1BC5472E1,SHA256=F49541E434379451E1F3B885FAE8FB98C69CEEBEFAD73D962ED259329BBF581C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000011629465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:19:01.609{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:19:01.609{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D923D24ED80FD3912BDD6C93FA575038,SHA256=652BF493729FD9D439E1D83CD1BA9992C7DFC0CFF09B4EBF8FBBD4497DD04973falsetrue 11241100x800000000000000011629463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:19:01.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:19:01.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622DADBBAD911CF022BBF97800D1C996,SHA256=D1EC169F38664BF747AAE20AE99456C55F0D076FC60FBEA09BCDBA2ED85C43F5falsetrue 11241100x800000000000000011629471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:19:02.531{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:19:02.530{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F70D215D124ADB77D861B5B835389062,SHA256=F0CF773EFC629CB3C7FCF5E46E07F5C88F35CA07BBCC69FB684EF1D7D44C15CEfalsetrue 11241100x800000000000000011629469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:19:02.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x800000000000000011629468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:19:02.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B45B5AD06AF4F93548DF3F88C821E8D,SHA256=619AEDBD2C29D2B0D4907D3AF484B34FA212D1FE3F486605721056F8D9C36E1Dfalsetrue 11241100x800000000000000011629467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:19:02.226{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x800000000000000011629466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-14 16:19:02.226{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC165E1F0B591200E09E2B1E5C633A2,SHA256=545A83C3B95C548FE4AD9B8499AC713AF2DD7F137E7CA46FBBB93D4E9D4ACE2Efalsetrue 10341000x80000000000000003350311Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.961{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CB76-6140-81B8-01000000F101}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350310Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.961{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350309Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.961{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350308Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.961{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350307Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.961{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350306Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.961{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350305Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.961{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350304Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.961{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350303Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.961{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350302Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.961{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350301Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.961{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-CB76-6140-81B8-01000000F101}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003350300Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.961{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CB76-6140-81B8-01000000F101}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003350299Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.947{AEE49BD1-CB76-6140-81B8-01000000F101}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003350298Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.561{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A964B0D88A29DB3CBB75429DAF1EF8,SHA256=9C2407D483B17F6AE3C931688BFFB6E4D538D2414ADE02EDDEC544589A07A270,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000003350297Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.429{AEE49BD1-CB76-6140-80B8-01000000F101}9562036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350296Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.307{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CB76-6140-80B8-01000000F101}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350295Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.307{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350294Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.307{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350293Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.307{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350292Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.307{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350291Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.307{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350290Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.307{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350289Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.307{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350288Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.307{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350287Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.307{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350286Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.307{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-CB76-6140-80B8-01000000F101}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003350285Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.307{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-CB76-6140-80B8-01000000F101}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003350284Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:02.292{AEE49BD1-CB76-6140-80B8-01000000F101}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000003350326Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:03.563{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D8A086F77F9F829C07F70E083E9EB9,SHA256=7B60CD8341E948EFA5EB1CDF2FF7F9ABCED5608C1ADD5D1CDBA92F7E9760E03B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000003350325Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:03.563{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-CB77-6140-82B8-01000000F101}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350324Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:03.563{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350323Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:03.563{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350322Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:03.563{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350321Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:03.563{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350320Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:03.563{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350319Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:03.563{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350318Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:03.563{AEE49BD1-415A-6132-0C00-00000000F101}7242852C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003350317Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-14 16:19:03.563{AEE49BD1-415A-6132-0C00-00000000F101}