11241100x80000000000000005426726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:40.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:40.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE1177FA10245CF19E8F6508BB1C03E,SHA256=D39A189BF440E501CF2453B2DB9E1579E762ED39CB008B83C5CDC04192A55223falsetrue 23542300x80000000000000001535030Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:40.641{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534B825C3E2CE8232CA31010BC641EA2,SHA256=129FB1A9E00871F11FCF8DBFAAD503687E27F7C4B3B930721A3027A5966D89D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535031Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:41.643{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1965130D89A9A01C104226D4D3B0E4E,SHA256=53B6DB0424C858038B5F0CBB658E6BC8D2A60E4857687335F9BA27B59E11EADA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.450{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.450{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C66B1B9E30ACDB0D95D7C5A611769FF0,SHA256=65580EF10B320CC63F7366A82331792D6A7E17FF2ACCC5724EB5E9677C08FE8Afalsetrue 10341000x80000000000000005426753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535040Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC66-6138-23CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535039Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535038Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535037Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535036Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535035Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FC66-6138-23CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535034Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC66-6138-23CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535033Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.831{AEE49BD1-FC66-6138-23CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535032Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.646{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C9ED8C2EDA7A74AB31369E0019B83D,SHA256=45F99CEBD88F4454D004819431742FB025AE5BCD8C8CAD6FE34BDC0BF11C983D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:42.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:42.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8609B13628494CD6B39BEE3A183FDD0,SHA256=8439347E123043DA006ECA095FA494EB2EB7052C0151216142ADE8E7951A1D1Efalsetrue 11241100x80000000000000005426757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:42.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:42.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3296D075CF5315F9BE2D20BD0EC1ECDF,SHA256=0218D953F2CE8319DD0A727AE76EA986C4E2C7CC637B9B6048DE47E770A3BC3Afalsetrue 23542300x80000000000000001535043Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:43.832{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1C34719120E562D98FCEAB6C40B245,SHA256=AFBD9903A801D35CF1A35EC003FD0653B4B99DFB7559205FCE6023FC13C7B1EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535042Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:43.832{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0866D71870C73BB3BDFE8D34B385353D,SHA256=D5FE20BB5415650F3D12B155B6DE76E0B40AB19BF8A25AD8D05A816DF76A0449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535041Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:43.648{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27453146F66F43EED3BF915124F90398,SHA256=FD18C0183548BC7A0861743C8F4E5CBCAF777AE7B564DE709B9F50C2E49F56AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.716{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.716{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0E477828A9BC37EA2DCDBE4A5B3A1E3A,SHA256=274BB401503CAD265F39C261604D9786160B0020D1F9A49BB95CAB227B12F33Afalsetrue 354300x80000000000000005426764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:29.779{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63346-false10.0.1.12-8000- 11241100x80000000000000005426763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.498{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.498{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FD1F73CEE42A9151BBAF578C03A5D2E5,SHA256=9B10B5135076E39CDB268CAD58776E57135EE4E09C4D3E104A1C354EB9549A5Afalsetrue 11241100x80000000000000005426761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CBF324E3509CC62FA6CA50254F51AF,SHA256=19BCE5413D18B85E89733D34796DE6F34DC71126CE831CB49D1EFC9614A7D235falsetrue 354300x80000000000000001535045Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:37.707{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60596-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535044Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:44.650{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E284A9AD02283EAC681F1066CDEE76,SHA256=9AD54C54E9F96B81A77C4719C2EBB2A0B038F26FDB7B28E24BA085ADA658D0A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:44.435{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:44.435{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CEC3629657FC78EF4E2455071BB9ED04,SHA256=B14CBCD3A84F86480722C809F9DCFDA16DC991DF39073DC0FDEE9C961A01514Bfalsetrue 11241100x80000000000000005426768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:44.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:44.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0738A3D3CFE4C4FEF5FA7B41D4A531C2,SHA256=76DF09B760E1F2A545147E7B184A5895A13CFC9989CB9CE037DD6562641BBB5Ffalsetrue 11241100x80000000000000005426772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:45.310{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:45.310{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3893763E12740D3ED585013F0DABF9D4,SHA256=3A500129CFC3A684D5A4D0807E266FB2DFB7EA681CC6892B56878E8650F4EF6Efalsetrue 23542300x80000000000000001535046Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:45.653{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47E95730FC508EC4D772F9B19179887,SHA256=85EAF8B77D8E95B0C1B32925042A5B7BEB4AE7C90BE59AC124B013DA886D610E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535047Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:46.656{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02E6B88C13E2BB74EDC0C3442329B64,SHA256=0D9CB321CF4010CC1062C703D6E47F9E4DCB32E0161308A7D6E536147FDA3197,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:46.326{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:46.326{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4514DBCD6AA26E0676C61B8BD7D447,SHA256=40EB4A4BF3D09E3FDC3EC02EAE60D257FB25EF5313578E91B125728B6430DF15falsetrue 23542300x80000000000000001535048Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:47.658{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF64CDD58F661D5DC7B7CF81C0CA210E,SHA256=75550DAB116E1886ADA3560DB77215C6078BAA8E93DC119CD159E60005006B38,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F420302D4AEDC8BB23170B8BCA9C5E7,SHA256=D0F3FB9DBD99AF2C008DEFEACDA570764345A473792FE419B2741DAF73A67A52falsetrue 11241100x80000000000000005426778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.583{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005426777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.583{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005426776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A0FC833287FCB90FCF55AE9C67CFF0,SHA256=4E60C3CFE9AC365E6B0B2A50D436492DB0AEFA5BDC0AC1D5E9C52770B79851E2falsetrue 23542300x80000000000000001535050Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:48.661{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A81E1BEFD174826DAD535E86CF38E86E,SHA256=FC0096AB6C347040EDEC3A719607CF1C1EBB6ACD752897F8999E9ADE993C2CBA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=379D2268A750B8DFC47B87348E570FC5,SHA256=4D4E5F1E3FA059676DE05E597AA8DA0B695F5423DF2C787609A6FE507128FC41falsetrue 11241100x80000000000000005426784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.583{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.583{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2C700267C85AF309697581D736CD6C4D,SHA256=E2B38756CC955BA52F059824A8BF490178E7E491D9E69A48260B27790807395Dfalsetrue 11241100x80000000000000005426782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0239341874E8FCFD190B62F2A624FD17,SHA256=06EB986C7E73CD2C55C2303F77415114756615352DCDFF2EB05A64FFE5A4C058falsetrue 13241300x80000000000000001535049Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:09:48.245{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a4dc-0xb5e96302) 23542300x80000000000000001535053Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:49.694{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9B500912EB1370852A69DE08BB6599,SHA256=8C3476A44D7BDBC7EDAACE11A939DD40EF229589A27BF08531D97B8D3AFAFC08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:35.888{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-291.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal123ntp 354300x80000000000000005426794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:35.755{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63348-false10.0.1.12-8000- 354300x80000000000000005426793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:35.223{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63347-false10.0.1.12-8089- 11241100x80000000000000005426792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.489{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.489{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=721B76ACC69BCE6BA90A355E7B0D3D4B,SHA256=A95923147CDCED7A22211944235BE3DD8D9C6212AA4FC3C807CDE37825BA243Efalsetrue 11241100x80000000000000005426790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD13AE6A3B5D23E387A9AE7880897998,SHA256=2C14C75B11EA3A9BE3ECFBA0AD9E43D9C23E86C93A9D048FA2F3977B9131FBF0falsetrue 23542300x80000000000000001535052Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:49.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FF250091392C068715E0C347877DC14,SHA256=1DB12DFE763AEFA705A32E4976B37BF798021F661C2AA5350E10BECEA90C0353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535051Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:49.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1C34719120E562D98FCEAB6C40B245,SHA256=AFBD9903A801D35CF1A35EC003FD0653B4B99DFB7559205FCE6023FC13C7B1EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C505734A583C9A61FED82A3DEBB6CDF,SHA256=FA5E48CD2250F90A17A00CEAE55BB13FC65FC05697D877FC13C9314BD6C14DB2falsetrue 23542300x80000000000000001535055Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:50.715{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8C6E6A92DA6224D16317785CC0757A,SHA256=BDF3015103C593F3AEF4F2DA87FC39C33B5EE852B48E3596A4929817DC1DBE15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:50.520{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:50.520{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE519F00BD4C4CC8AD4DC473CF5C45C5,SHA256=19F3CC183FE6B0165280DBC729649B22C01079AA11A7BB2F938F4206527B14EBfalsetrue 354300x80000000000000001535054Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.889{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-296.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 23542300x80000000000000001535057Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:51.737{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB1F9B7AFB73E0F0295B6F7AB9B4E18,SHA256=4CD8A1DABE6DE10E124B27E79CFB93D481A2054FA76BD9D67A9E9B109228E9DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:51.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:51.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3AB3F956E368FA072E437A7F774DD0,SHA256=923407387F767A70F079731720B9592E84898C16092ACD88469539B3B9F26C0Cfalsetrue 354300x80000000000000001535056Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.890{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60597-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005426801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:52.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:52.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06572C8B5CA6026C990E505E71D99859,SHA256=3CDD426CD5669EC137EAD06DAA1001C75E6FDACCE72E3B5A7DA349984268CEBAfalsetrue 23542300x80000000000000001535058Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:52.740{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A548B3122D2833CBDCEBF10402EA5ACF,SHA256=9F336583F962BD03AF73E7536527186C05837EBED489BAB40A27CA8A940D1976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535059Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:53.743{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B204BC7DF84D24BDEF3117800130DCA7,SHA256=725097065E6DF4636EEB219940CA7E9E0C4F2F8D741D0A7F61AFD8737FC15F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535060Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:54.762{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4F503A9CE57565803E03F7F612A70E,SHA256=ABD9A8648E8B2A1106EE2F636EF3A8AB0B6AA3B0A5F369F9D0A950F9A3DD7A3C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.567{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.567{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9963C27E7F7CFB9B037F771ACF99AD7B,SHA256=976FA9E55F72E28D36D30930690CDF4DDE4F4DE8AE185C84465F495AA56721ECfalsetrue 11241100x80000000000000005426809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D6992896746F004BDC795930D02B4913,SHA256=B4612C83B9E92EFE0183F9353115F808392953EE4F5F681C6118E8DAB4D95C33falsetrue 11241100x80000000000000005426807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D4726101AD473C021E9966EE7B80685,SHA256=3E887432EECC9A1D0C1BB7106D6D9BF980E51BF20B8455980FCCEC73CCAD811Ffalsetrue 11241100x80000000000000005426805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7121631E04B1DE38C3A1C12838AC4348,SHA256=138574A4F52A86D956C12C39ACB9292D09DD9F97C3BB22CFBF9DF357EEDE6198falsetrue 11241100x80000000000000005426803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2135A9D6BE00033D1C3ACF98C5BEEC,SHA256=1D82BEB29327D49F5F8D0B6C3CB41A2D865C100E242AB12FDDBE4366BEDFE6A7falsetrue 23542300x80000000000000001535063Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:55.765{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E504F2B6E85BF3DAC99EC0E1053DDE,SHA256=18F57812DABDA09C03A249D6A90B59226275E4FD3F650F026B176EDDD7CF1597,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:55.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:55.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3EF768D26818EE3A1CDA86BF5D2981,SHA256=EE0393773A01B904B7C2AC157F8E73EAAB80CE03C4BDD521D915AC98F8497901falsetrue 23542300x80000000000000001535062Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:55.178{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AC2E9C31DF85861827A1FA65FDCB0C4,SHA256=DEF0801FBA88F5E4C0721A6582ABA864891BAD6E29179F1918235AED6C52208C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535061Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:55.178{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FF250091392C068715E0C347877DC14,SHA256=1DB12DFE763AEFA705A32E4976B37BF798021F661C2AA5350E10BECEA90C0353,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:40.801{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63349-false10.0.1.12-8000- 23542300x80000000000000001535065Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:56.768{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2981F683D90A6DC76F1B9069EA0E1E5,SHA256=E116428288929B90F1DB5738FE491F383200FF37AA1DF643E3C71B60164BAADC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:56.317{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:56.317{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBFABD8EBDE8346101B3558FBBA62CD,SHA256=A02292C101A222C6CFCD738306E99CD643AF7955C7C376C4E6A39E4DB4217E63falsetrue 354300x80000000000000001535064Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:48.685{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60598-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535066Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:57.771{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30865556EECC9EA2CA49D46793B3B3DF,SHA256=6868218E2CDEABF9042ABBFB13B6812D890E2108A323194A93119A98EBCA9C73,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:57.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:57.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685FBB63F00187DC220453CA68210F11,SHA256=67815C0EAF344A901815C67CDD1D6703DFA3625D970B634590AF3A6EBF83BC21falsetrue 11241100x80000000000000005426824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7BA0711454E546537065FD22E0CA0792,SHA256=1D7A80B443360B9BA5166A728D3FA10E9CA2C31BEF2B0310A43F298977614437falsetrue 11241100x80000000000000005426822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.848{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.848{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AEE8E10245E33F9F365CA8C6DD4A597E,SHA256=43B6B0FE99FF38D05EA78A7E6A8FC4F0B26E74A655207E0ACE5C7606F0342A64falsetrue 11241100x80000000000000005426820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A755808F40566F38129172951D64AE4C,SHA256=E32819A27E291400F2713A19D62CC7DF594283E88C01576616B5C81E5AEE5766falsetrue 23542300x80000000000000001535067Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:58.774{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC8733A6ED07EF3C0C9B845E4ED3D67,SHA256=23562168866E7764D40655FD8F3CBD9DEE55DCB87D72D1068E7A0F742CAED42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535068Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:59.777{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC012AE1EE5DEC1BD53999C62A15C671,SHA256=A6D7D6A558794601DCA22ECFCEE718D49151AD0D8E7043BD7B397BF028F4E176,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B8BFCAE254D62C1D898D7FEE1FDBCA9,SHA256=7990A6456AE1DECEF0D3900E0856B9A224CA263F1030CF182A4493C7B5490F5Efalsetrue 11241100x80000000000000005426830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146EF0269012E29A8BC792B262C97F7C,SHA256=E4759E311CBCC0B4D8BFEB5F7C88082C16F84B690240AAB818170111993E610Cfalsetrue 11241100x80000000000000005426828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1641A8E3B68D93C9C4B8604859BC9CA2,SHA256=697718F4C8206F3282FBD919ADDC0C4E53E6F8A9B67E31BFA423640CB6135266falsetrue 11241100x80000000000000005426826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CD1BFD9D3450F94DF68CDBC3E332843,SHA256=6F7FCBE21FD261A9253953127A6D70B453C90233E9E66B73FDF50ABCEB9BE0B0falsetrue 23542300x80000000000000001535070Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:00.780{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7428B622D169D27CAB1B047AC22404B7,SHA256=A7590F6D575D688F2A8A57D861838E40EDAC820B14C376926DA4DD898AA97C54,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:00.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:00.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49ABDE37DAE1D729DF90ABDC9DE2E643,SHA256=7C8984704E61D4C8346A53BEDEDF8096709A9658F9D9B46046E98FA9A2755DE9falsetrue 23542300x80000000000000001535069Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:00.043{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AC2E9C31DF85861827A1FA65FDCB0C4,SHA256=DEF0801FBA88F5E4C0721A6582ABA864891BAD6E29179F1918235AED6C52208C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:45.864{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63350-false10.0.1.12-8000- 23542300x80000000000000001535072Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:01.783{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660745F051108E56481C5521D562F252,SHA256=53DBB8BA085585E2F66BFCA670607EA7BC896D06CEE50C40F449A7CA512BD624,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:01.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:01.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E834CCE6ACDBB32BA0896C09B54C31B,SHA256=571024EE15DEACEA98FC1AAB0D0726137AC6CB318DF26D88A202B3364610830Ffalsetrue 354300x80000000000000001535071Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:53.701{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60599-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535073Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:02.785{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE46A0445605CA6FA9A3A5FEB6B496A,SHA256=D8DBB2C94B3BA1809D7B0923DF8A1C17355C4C59A38083AE601AD743A6A247C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1641A8E3B68D93C9C4B8604859BC9CA2,SHA256=697718F4C8206F3282FBD919ADDC0C4E53E6F8A9B67E31BFA423640CB6135266falsetrue 11241100x80000000000000005426839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.536{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.536{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B117559C10C3F91FB7B8D82AC2FCC88E,SHA256=68862CBDD782622C36DF4983A5DDC56C039F6FBD3CC54B2947596F3BAABF32F5falsetrue 23542300x80000000000000001535074Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:03.789{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316BB85D17B99C7592D7DA67A0228348,SHA256=34AD142BEE1400C5E00FC8A6AB053422D66F49968BB83F30A0EE438B06550207,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:03.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:03.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5145BF483FB462906FC0F63E8EE83830,SHA256=4EB0A201150FCB7366D01512FE34C3B8DC8245EC5E45BFE5BAC8B66C5DE464F3falsetrue 11241100x80000000000000005426843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:03.598{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:03.598{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75113F4838875E38D76A602CD2BFE5D8,SHA256=2764A550749EA9E89E8C797E5175D57C18F7664393FC0700C01FD121985575EDfalsetrue 23542300x80000000000000001535075Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:04.792{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9112B382E2AF2A3A00BF652968FE6F0,SHA256=5D04779B9EDA71C0DE17A57F6CC51A5E5D13DCE38AA9CA924EB65E3A2EFD1231,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A20B935EABA0CB9600526D35879A3A0,SHA256=A437F214196B974A924F51B0136E45251046FECE368AAF9AA2036EA1CBEF43DAfalsetrue 11241100x80000000000000005426849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7EB691B40FBEA66CFB3724EE5BAD25,SHA256=5D3303D266831F0A05D3DAECF344BF92E880D58E94728CF8E01DB77C8C1289B7falsetrue 11241100x80000000000000005426847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.020{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.020{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=660106451C709D6EE383278B41951BC3,SHA256=C7EF41846454FBEAF7A1627D7FE6DEFC2076929425C7E94DD631BBF0F84C2903falsetrue 23542300x80000000000000001535079Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:05.795{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF0961EB145D49C3B08C4D90BFF8258,SHA256=90933E409587E7F4B39DC45040CB780EE71E2CBCD9719AEE60244448940A2BD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005426859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.817{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.817{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.817{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005426856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CE0EB2DB5DF3BDE58D173E9B460200,SHA256=ECC62AAD7C9647BDCFD1AE03F485A128365E5ACCDE2EE01B8BB8FF2BA55E4D7Ffalsetrue 23542300x80000000000000001535078Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:05.757{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=51BDB4898F3506A3533FB32B0F89FEE0,SHA256=7FCAFD25AC98F05DB11648671A0EA211A4087FF2DD75D007EF70F8A722F3D572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535077Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:05.378{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3222A57B26887F99D2CA807F4C567EF,SHA256=62051FB0DB8B0994225215E5FF8BB17DF16E9400F7D1FA74C97AE0CE3DCF39A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535076Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:05.378{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0D6247FCE5077A7FBD27727B1375CB3,SHA256=4C84CDE2BB50A0376503EFC374BC259301EEA3E3B78DC4264A06280A7794A4B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:51.738{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63351-false10.0.1.12-8000- 11241100x80000000000000005426853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C15A958D6A2A6E1D399257A068CD01A,SHA256=005B7CBC567D7D5247BCDF57BB87064B83AF68882246CFC195E8187075DD95DCfalsetrue 23542300x80000000000000001535081Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:06.797{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53B0B6EC89C930196686B1CCBE4E458,SHA256=F475648763A91617085EDA28EFE22D348DEA0D01D645EB284EECE9A51093D5A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:06.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:06.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC65AEEB5F3B4922BDAB6B1FF04F4850,SHA256=5497A04253FFC21F07743B51A424088008CCD6D094B96F45C3B1ADD64C7F824Afalsetrue 354300x80000000000000001535080Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:58.813{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60600-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535085Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.799{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215330F575B8B5F115259B6E7A42E547,SHA256=2214A3F268CC5A1C5205E032E25F3A4C035FAE05857099542F60EE9AA7A6DEDD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:07.728{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:07.728{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3A1244E680BBD405A393D8DE644C350,SHA256=CB1420E5E97C034903D3845A8E33485A260FD448C01ED54D6F3221ACA16F42FCfalsetrue 11241100x80000000000000005426863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:07.712{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:07.712{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78343E0A6610BDADF251C54A3AD7739,SHA256=6AA2B6088C5456AA830FCF6300755A1888B0746E75F3C0A57CC4FE3179F2F5E2falsetrue 10341000x80000000000000001535084Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.646{AEE49BD1-4464-6132-C502-00000000F101}45004828C:\Windows\Explorer.EXE{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80137AEF8A8)|UNKNOWN(FFFFF8CB6D4A5B68)|UNKNOWN(FFFFF8CB6D4A5CE7)|UNKNOWN(FFFFF8CB6D4A0371)|UNKNOWN(FFFFF8CB6D4A1D3A)|UNKNOWN(FFFFF8CB6D49FFF6)|UNKNOWN(FFFFF80137807103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001535083Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.646{AEE49BD1-4464-6132-C502-00000000F101}45004828C:\Windows\Explorer.EXE{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80137AEF8A8)|UNKNOWN(FFFFF8CB6D4A5B68)|UNKNOWN(FFFFF8CB6D4A5CE7)|UNKNOWN(FFFFF8CB6D4A0371)|UNKNOWN(FFFFF8CB6D4A1D3A)|UNKNOWN(FFFFF8CB6D49FFF6)|UNKNOWN(FFFFF80137807103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535082Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.646{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1a4b1c10.TMPMD5=D01734B513C185F70D31918B721F4959,SHA256=42EEB2A2D24121428DB1C3CED6B22CD4D28DD42208C27788AE4A4B1C5C2C9541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005426874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.996{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7177MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005426873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.995{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71772021-09-08 18:10:08.995 11241100x80000000000000005426872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.994{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71782021-09-08 18:10:08.994 11241100x80000000000000005426871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.962{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.962{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B53422C70AA3965DF7F0B7F5309E47A,SHA256=285244C15462FD7456223F9F5E0C375B1C61CE3CA173E697948904C6952F159Ffalsetrue 11241100x80000000000000005426869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E2D3D781AFF8B88E1DCB84900D6A9492,SHA256=CBE64336F372B2A687B56A600462780FBAA049989AB46ADE65DBD75AE0DE662Afalsetrue 11241100x80000000000000005426867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE16A63CDF09EFEC6A12DC79CD82F88,SHA256=7078103527584DECEA83F9B1648E82BE587BA6939781B81B4D146574C40FA220falsetrue 23542300x80000000000000001535086Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:08.802{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBDBF62018FFB3700F08F5260EA86C7,SHA256=0320E4244455F95DB496E20889331B025C6C2B51B1934793B9D2DF5B703A5581,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:09.896{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:09.896{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2428208ABF7E534EE6B52D25C6BF923B,SHA256=2642FA282D0A8982566E5C22267CE2A174CC0F2189898AE6DD73DDF103D6C4CDfalsetrue 23542300x80000000000000001535087Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:09.805{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9FAB535966E6533C1979E18F342E6E,SHA256=201AC440A70E60590A74335E25717EFF0F79201E0BE71FA9DB95E499AF8314B3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:09.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:09.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7DC3DEB60CC257F805879BE6CB44265E,SHA256=631955DF23F6BD6B91C11EB1781336BEAB596A41FE7A9268C1CAE85C45020CC7falsetrue 23542300x80000000000000001535089Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:10.807{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72B601A4E615CC4B04E8C3F0F85E3CD,SHA256=3DFCBB210956AC48B1830BA07963D9E2E0DCBB583297674848888CDE64927084,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:10.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:10.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD5AD0EE466C248645272CA443841382,SHA256=3F56F8985E58566B709FB1311691EF0496F4FA4C240D758E52C3466E852C62F9falsetrue 12241200x80000000000000005426881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:10.175{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005426880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:10.175{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000005426879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:10.006{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7178MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 23542300x80000000000000001535088Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:10.273{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3222A57B26887F99D2CA807F4C567EF,SHA256=62051FB0DB8B0994225215E5FF8BB17DF16E9400F7D1FA74C97AE0CE3DCF39A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535091Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:11.811{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6477949524165B73A8202CB322248053,SHA256=AF54EB4B6FCC9DC0EAA59B558F032B3149DDA43EAD227802B82E44263336B69A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:57.831{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63353-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005426887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:57.831{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63353-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005426886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:56.880{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63352-false10.0.1.12-8000- 11241100x80000000000000005426885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:11.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:11.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0543EF6FFECE06AF59875F9AAB927A11,SHA256=FD5053D166EDF8B6BDE8063331A9CBB8E4E62A80A4B3E499F789B298630436E7falsetrue 354300x80000000000000001535090Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:03.911{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60601-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535093Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:12.960{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535092Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:12.814{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00414113F7568CC12DC13FBF7D9C3823,SHA256=86D96C097BF8D34738FC54A78936997D2A62FECDE20A0E0E827DC15B5E29D2D5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:12.288{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:12.288{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416DC9284328C10AADFF5A91FA9C5E0D,SHA256=949425AADA899F37F0C97B6184334F783CD7701842B3D2166B77A074BBF128B7falsetrue 23542300x80000000000000001535094Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:13.863{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033D74EB9B5F092AF1CE6FFB3A653993,SHA256=AC9CE49B3A5575A711D4A5F5F3380572B33D858A827C0C660499EB2D52128D20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4E316C94F475ED2EC70174E9DED7E5B2,SHA256=D534F15C0A99260EACDE20D10917B9B0A5AC1E89B2827154FAC2C4FBF7369DE2falsetrue 11241100x80000000000000005426892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AD20CFE7604185ECD0C86263809D1F,SHA256=DD0F7667F7D809AC50E8C336160812EF850E1BCB9F30BD2067F34A00431B07D5falsetrue 23542300x80000000000000001535097Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:14.866{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B9E0996A98462B637BFEEC4F5E0CD7,SHA256=CE514137C2A7AE419E83AC7BDFBDB38BD5C71EEE40976B652C5F1BD88AAB70C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:14.756{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:14.756{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5CF548F6F00DD6DCDB6DE58973A07C24,SHA256=19844363C18FA7B0F18ED07A48405061E38F6CFCF14348FC080143991BD9700Dfalsetrue 11241100x80000000000000005426898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:14.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:14.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC82B27C9AE3B6D7076BAE24A123273,SHA256=8FFCC86894B508FA8072243F36EB39FD29E48205C098CFD7EE828C8563CA4A81falsetrue 354300x80000000000000001535096Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.621{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60602-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001535095Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:14.132{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB16CA6251408CE304272E6672BC9D79,SHA256=8E5E3BBFF0595B0EA329516B953BE92A6FC296041E1FE2FB494A7D1934662B94,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C2353D5B70E41F4989FCD591D463786F,SHA256=D2AF1329496D2F4CBB1A724126F7B95023FFE122392E1E3E4291C76AD184A08Afalsetrue 23542300x80000000000000001535098Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:15.868{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AB8169A0764D998566FFC764B39F90,SHA256=BF7CA969916F37EFE2D467FE06B07BE672CDF5834F9EA95138546DAD767C177E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:15.428{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:15.428{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D302ED8266651255C6A2A03DD2E418,SHA256=14C096777FB3B821923722CDE153E1AA049A4C40A085803EE0A4874CF2C9D1D4falsetrue 23542300x80000000000000001535101Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:16.870{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B705C48583A9E33987AF6179B64F384,SHA256=E4D193FD47528AADB21293B64650386F18EFE678CD1083BBA6F8EADA1CF2391D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.912{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63354-false10.0.1.12-8000- 11241100x80000000000000005426908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F534FB92F635C5480374A0A1596B51,SHA256=EE583BBFE724741CD5A4D190CC52BE2A888E1E47DC27374C2559A8890169C134falsetrue 354300x80000000000000001535100Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:09.726{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60603-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535099Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:16.068{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=725B0C50F7B1883D36BA62547C4A3E95,SHA256=81D47305ED2AD1FD30D9D3D5B16FE6CA5C67C42F898E4594967CD7105A94BA10,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0CF9B0B844F9D12A8AE98234D43F10C,SHA256=CF83FE7FBB9EBEB80E2A37F0235811916308B5324A2024119A311F90F2232F0Dfalsetrue 11241100x80000000000000005426904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94BE5F82CDA449491BE429070DB7A589,SHA256=01940F195F659E046C3D9E8D804675B27F23914FCFEBC7EB7659B7B4E4DB88F4falsetrue 23542300x80000000000000001535119Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.872{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B898CBF929377E03C1778B86BB7D7C4,SHA256=F6379B89909C14798282444E809DD033A8F160932E889ACD2F687F9745B9DBB5,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005426923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.694{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005426922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.694{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000005426921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968\lsassC:\Windows\system32\DFSRs.exe 13241300x80000000000000005426920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 12241200x80000000000000005426919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000 11241100x80000000000000005426918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML.TMP2021-09-08 18:10:17.678 12241200x80000000000000005426917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 13241300x80000000000000005426916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Config SourceDWORD (0x00000001) 13241300x80000000000000005426915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML 12241200x80000000000000005426914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 11241100x80000000000000005426913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML.TMP2021-09-08 18:10:17.678 12241200x80000000000000005426912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005426911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:17.491{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:17.491{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7035318DA72ECCD39564DAB925836662,SHA256=500CC8EE69308B0DBB129FC8ECF15AF045000D133EC09C8E8A56AC180956AFB2falsetrue 10341000x80000000000000001535118Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC89-6138-25CE-00000000F101}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535117Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535116Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535115Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535114Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535113Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FC89-6138-25CE-00000000F101}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535112Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC89-6138-25CE-00000000F101}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535111Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.757{AEE49BD1-FC89-6138-25CE-00000000F101}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001535110Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.224{AEE49BD1-FC89-6138-24CE-00000000F101}47525840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535109Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC89-6138-24CE-00000000F101}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535108Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535107Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535106Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535105Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535104Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FC89-6138-24CE-00000000F101}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535103Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC89-6138-24CE-00000000F101}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535102Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.087{AEE49BD1-FC89-6138-24CE-00000000F101}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535129Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.874{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA48961D5014D9B15810658DC4E8D79D,SHA256=451B90C9FC431A24B46B6B215ACE1966EBFA6DB203ECA4540A62885E06331611,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.881{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.881{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5D36540082CF519D1B1CE127880FD516,SHA256=69237D2B6E32D3F88D72C5AACE5BD5D8943BC03FD4049B111D583699192A1928falsetrue 354300x80000000000000005426932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.347{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63356-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005426931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.347{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63356-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005426930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.335{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63355-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000005426929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.335{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63355-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 11241100x80000000000000005426928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0CF9B0B844F9D12A8AE98234D43F10C,SHA256=CF83FE7FBB9EBEB80E2A37F0235811916308B5324A2024119A311F90F2232F0Dfalsetrue 12241200x80000000000000005426926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:18.709{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005426925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.506{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.506{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E28D759B5DBE1E3446B7717B2D20122,SHA256=9D549DA1D05581705F9E01C86205A9DB5844B9E8CA4CAD3F387FD2B82E4AE5B3falsetrue 10341000x80000000000000001535128Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC8A-6138-26CE-00000000F101}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535127Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535126Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535125Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535124Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535123Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FC8A-6138-26CE-00000000F101}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535122Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC8A-6138-26CE-00000000F101}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535121Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.312{AEE49BD1-FC8A-6138-26CE-00000000F101}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535120Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.093{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D73BF00492ABF610D39AE80549382751,SHA256=D4E8F55786F468386499EF6B5224435A73D5F759003E5E633154879C2FA4ECF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535131Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:19.876{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0162FAADBBFE6D3073DF691D3411A24,SHA256=34E116B774F0C1172D5D9755C618BBD60325F5CD1B96C9011238B0623FEB1577,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.803{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.803{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DD4F46AB11DFA5FE4A2497644566CD08,SHA256=356989FBE86D9F7B8B91659DEB285C73E3AA0841AEB0FADE5326318FA30A2C37falsetrue 11241100x80000000000000005426942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58D95923CA34FC1CC593093A957E3470,SHA256=FF827BFC09DAD7421BD94B0DA92322A5048CE84028B4EF9B27EEC79681581BBAfalsetrue 11241100x80000000000000005426940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.553{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.553{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104762EC0D7C1BE8BC99981C86486150,SHA256=37D45C1118305E10630EA5043A7DF79A9D7504BB257B33AB8B248D74B998D9BCfalsetrue 23542300x80000000000000001535130Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:19.312{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4673ECA7718C7E14E7F96EC19141DC6,SHA256=559BE33F5C3EC7922966AB08826E8FD2CFDA60A5B50B8F8B1CEACAD1D0D40AE4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=760A4DB77E220C489E57932436526C36,SHA256=9ABE930747857E456112348105C6A16DDAAF932FEA61227EF000EC546900D137falsetrue 354300x80000000000000005426936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.352{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63357-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005426935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.352{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63357-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 23542300x80000000000000001535132Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:20.898{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C5AC531D118ED7DA9B7C1B91BF63A4,SHA256=A9EEC6D80DC6905359BB865D65D499C8A6B7E651E6CE85A6362C019F2D225C61,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:20.584{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:20.584{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B212C473EE336425BD0E2D66FB1FDBB0,SHA256=4DDDA58338E706BCCB6B49E21C534BA36855A6213A3DDD73C7D9A82FF0986F76falsetrue 23542300x80000000000000001535135Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:21.919{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D312AC3DE7DB4353D9634455F1E132A,SHA256=4F24E29CF352B96CBF1618DDD355C5C883D545BD94E65FEBD6C4B72FDBBE66F5,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005427057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005427015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.928{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.929{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000001535134Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:14.855{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60604-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535133Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:21.198{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7DB0E7BFE26756D4F39486D19D0D26C,SHA256=05A1F6B570946B750292FDFC576B13B657B4F1EF93E619D8F882D15A90FF50BB,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005427006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.381{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005427005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.381{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.381{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.381{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005426999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005426998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005426997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005426996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005426995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005426994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005426993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005426992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005426991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005426990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005426989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005426988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005426987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005426986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005426985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005426984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005426983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005426982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005426981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005426980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005426979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005426978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005426977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005426976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005426975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005426974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005426973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005426972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005426971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005426970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005426969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005426968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005426967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005426966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005426965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005426964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005426963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005426962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005426961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005426960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005426959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005426958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005426957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005426956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005426955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005426954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005426953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.241{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005426952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005426951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005426950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005426949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005426948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005426947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001535139Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:22.922{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745A43822E36B3AAFCA4E156284A3F60,SHA256=A48F62D46E5D4035126EB02BA8A99B458A8B4BB3095E91A2BB32265F2776763E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535138Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:22.467{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535137Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:22.467{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535136Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:22.467{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005427125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.913{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.913{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC1B70EC23B6A46A70B695A24758244,SHA256=8669EAF2D28D29F11718C223141340F948B6650E6A0B5D00DC30C55D9A1777A4falsetrue 534500x80000000000000005427123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}77406508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.647{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.647{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005427081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005427075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.616{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005427066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16889D63AEA73D3391B3B36345CF38EF,SHA256=D75F25AC6D8C15F7BA745D12866500B3386EA4FAD149F75FB8768F75F0E2D356falsetrue 11241100x80000000000000005427064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE1B2C9E78C616DBEE343E4C63E501D,SHA256=E2F385E8A318141EF0C525642C3B10179D7CD15FB0B64ECEFDC612E048D47FE5falsetrue 534500x80000000000000005427062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}66647240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001535140Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:23.925{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F918219E124E621261A1D87735B6E5,SHA256=65F6C44DAC089FCCCA73D0A4590793F57E50F0E18CC631096701D51BBD7DA96F,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000005427192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005427186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C96EB1A30AE1232902CC32F43C3B921C,SHA256=9B6CB3ADF6EA98F9F6309AEA9CC8F1FFF2FE91A46DEA0786219B8E3033B65358falsetrue 534500x80000000000000005427184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}73605144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.334{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005427137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.303{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.304{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000005427128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.756{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63358-false10.0.1.12-8000- 11241100x80000000000000005427127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.053{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.053{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E328360DD62B63AAF41AE2A2BB8981,SHA256=5BAE8B9C469669017CA3BA973455E2DA4C6BDB2D5E41ACC5B106DEF98FC98A56falsetrue 23542300x80000000000000001535141Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:24.928{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25FE5CC98AF7005EC6D5AD94F5007071,SHA256=A2B2F03312504DDA22503971F1228D18B01C49EE40362DD67C81377845119D8C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.975{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.975{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565F309B6CA43445589E4A11F7896759,SHA256=3249FD8F461B9C84892F5F781B088B07540EF7084615A0CBEABF94B7B14CF014falsetrue 11241100x80000000000000005427322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B5B87BE50C6A65B448B4B5815BA1B548,SHA256=82AD4EA88826BF8AF3E8165356144B6ACBDCBE29CA92311799E88156AAF60583falsetrue 534500x80000000000000005427320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.819{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.819{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.819{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.819{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.709{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005427279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005427273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.679{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 13241300x80000000000000005427264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000005427263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000005427262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005427261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005427260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000005427259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000005427258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000005427257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000005427256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000005427255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000005427254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000005427253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005427252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005427251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x80000000000000005427250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BF905ECCBE33ED5C033A43EEF701CE2A,SHA256=75CBF179AB69A662C1772AC2FDC99BF9DB845CA9E772451E55AD0B00CCB0FEFCfalsetrue 11241100x80000000000000005427248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3FDC2D615F365BF370F31AE9CB5DA3,SHA256=0868C7B4BB63481F1748E9C87561984D0FC7325E6FC5B97E8640C29C9890259Bfalsetrue 11241100x80000000000000005427246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7E35193D799ACB5478FAAC4594CFCFC3,SHA256=B97819A5C41A85BDCCCAAC74772D31ACDDBCF4F83044CEACA6C8BBD36662FB78falsetrue 11241100x80000000000000005427244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AA9F614A965E404ADCA3D366D5707C,SHA256=7CFB073BE45F7B6F451F9A6F91FEA7300ACCA04CCA5706AF02307D6B0059D845falsetrue 534500x80000000000000005427242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.131{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005427241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.131{4DF467A6-FC8F-6138-1BD4-00000000F001}38805700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.131{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.131{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005427234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005427232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005427212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005427200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005427195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.991{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535143Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:25.930{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5ADB1203429B9C1F658E43CB2A33875,SHA256=B33E68FD7632F3F8A313DADD443CDC90146D0B742988B599850C1198E7716761,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005427384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.381{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005427383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.381{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.381{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.381{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.272{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005427376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005427374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005427364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005427346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005427342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,S