11241100x80000000000000005426726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:40.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:40.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE1177FA10245CF19E8F6508BB1C03E,SHA256=D39A189BF440E501CF2453B2DB9E1579E762ED39CB008B83C5CDC04192A55223falsetrue 23542300x80000000000000001535030Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:40.641{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534B825C3E2CE8232CA31010BC641EA2,SHA256=129FB1A9E00871F11FCF8DBFAAD503687E27F7C4B3B930721A3027A5966D89D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535031Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:41.643{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1965130D89A9A01C104226D4D3B0E4E,SHA256=53B6DB0424C858038B5F0CBB658E6BC8D2A60E4857687335F9BA27B59E11EADA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.450{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.450{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C66B1B9E30ACDB0D95D7C5A611769FF0,SHA256=65580EF10B320CC63F7366A82331792D6A7E17FF2ACCC5724EB5E9677C08FE8Afalsetrue 10341000x80000000000000005426753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:41.122{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535040Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC66-6138-23CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535039Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535038Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535037Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535036Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535035Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FC66-6138-23CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535034Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.846{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC66-6138-23CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535033Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.831{AEE49BD1-FC66-6138-23CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535032Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.646{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C9ED8C2EDA7A74AB31369E0019B83D,SHA256=45F99CEBD88F4454D004819431742FB025AE5BCD8C8CAD6FE34BDC0BF11C983D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:42.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:42.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8609B13628494CD6B39BEE3A183FDD0,SHA256=8439347E123043DA006ECA095FA494EB2EB7052C0151216142ADE8E7951A1D1Efalsetrue 11241100x80000000000000005426757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:42.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:42.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3296D075CF5315F9BE2D20BD0EC1ECDF,SHA256=0218D953F2CE8319DD0A727AE76EA986C4E2C7CC637B9B6048DE47E770A3BC3Afalsetrue 23542300x80000000000000001535043Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:43.832{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1C34719120E562D98FCEAB6C40B245,SHA256=AFBD9903A801D35CF1A35EC003FD0653B4B99DFB7559205FCE6023FC13C7B1EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535042Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:43.832{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0866D71870C73BB3BDFE8D34B385353D,SHA256=D5FE20BB5415650F3D12B155B6DE76E0B40AB19BF8A25AD8D05A816DF76A0449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535041Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:43.648{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27453146F66F43EED3BF915124F90398,SHA256=FD18C0183548BC7A0861743C8F4E5CBCAF777AE7B564DE709B9F50C2E49F56AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.716{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.716{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0E477828A9BC37EA2DCDBE4A5B3A1E3A,SHA256=274BB401503CAD265F39C261604D9786160B0020D1F9A49BB95CAB227B12F33Afalsetrue 354300x80000000000000005426764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:29.779{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63346-false10.0.1.12-8000- 11241100x80000000000000005426763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.498{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.498{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FD1F73CEE42A9151BBAF578C03A5D2E5,SHA256=9B10B5135076E39CDB268CAD58776E57135EE4E09C4D3E104A1C354EB9549A5Afalsetrue 11241100x80000000000000005426761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:43.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CBF324E3509CC62FA6CA50254F51AF,SHA256=19BCE5413D18B85E89733D34796DE6F34DC71126CE831CB49D1EFC9614A7D235falsetrue 354300x80000000000000001535045Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:37.707{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60596-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535044Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:44.650{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E284A9AD02283EAC681F1066CDEE76,SHA256=9AD54C54E9F96B81A77C4719C2EBB2A0B038F26FDB7B28E24BA085ADA658D0A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:44.435{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:44.435{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CEC3629657FC78EF4E2455071BB9ED04,SHA256=B14CBCD3A84F86480722C809F9DCFDA16DC991DF39073DC0FDEE9C961A01514Bfalsetrue 11241100x80000000000000005426768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:44.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:44.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0738A3D3CFE4C4FEF5FA7B41D4A531C2,SHA256=76DF09B760E1F2A545147E7B184A5895A13CFC9989CB9CE037DD6562641BBB5Ffalsetrue 11241100x80000000000000005426772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:45.310{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:45.310{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3893763E12740D3ED585013F0DABF9D4,SHA256=3A500129CFC3A684D5A4D0807E266FB2DFB7EA681CC6892B56878E8650F4EF6Efalsetrue 23542300x80000000000000001535046Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:45.653{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47E95730FC508EC4D772F9B19179887,SHA256=85EAF8B77D8E95B0C1B32925042A5B7BEB4AE7C90BE59AC124B013DA886D610E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535047Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:46.656{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02E6B88C13E2BB74EDC0C3442329B64,SHA256=0D9CB321CF4010CC1062C703D6E47F9E4DCB32E0161308A7D6E536147FDA3197,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:46.326{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:46.326{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4514DBCD6AA26E0676C61B8BD7D447,SHA256=40EB4A4BF3D09E3FDC3EC02EAE60D257FB25EF5313578E91B125728B6430DF15falsetrue 23542300x80000000000000001535048Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:47.658{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF64CDD58F661D5DC7B7CF81C0CA210E,SHA256=75550DAB116E1886ADA3560DB77215C6078BAA8E93DC119CD159E60005006B38,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F420302D4AEDC8BB23170B8BCA9C5E7,SHA256=D0F3FB9DBD99AF2C008DEFEACDA570764345A473792FE419B2741DAF73A67A52falsetrue 11241100x80000000000000005426778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.583{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005426777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.583{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005426776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:47.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A0FC833287FCB90FCF55AE9C67CFF0,SHA256=4E60C3CFE9AC365E6B0B2A50D436492DB0AEFA5BDC0AC1D5E9C52770B79851E2falsetrue 23542300x80000000000000001535050Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:48.661{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A81E1BEFD174826DAD535E86CF38E86E,SHA256=FC0096AB6C347040EDEC3A719607CF1C1EBB6ACD752897F8999E9ADE993C2CBA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=379D2268A750B8DFC47B87348E570FC5,SHA256=4D4E5F1E3FA059676DE05E597AA8DA0B695F5423DF2C787609A6FE507128FC41falsetrue 11241100x80000000000000005426784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.583{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.583{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2C700267C85AF309697581D736CD6C4D,SHA256=E2B38756CC955BA52F059824A8BF490178E7E491D9E69A48260B27790807395Dfalsetrue 11241100x80000000000000005426782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:48.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0239341874E8FCFD190B62F2A624FD17,SHA256=06EB986C7E73CD2C55C2303F77415114756615352DCDFF2EB05A64FFE5A4C058falsetrue 13241300x80000000000000001535049Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:09:48.245{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a4dc-0xb5e96302) 23542300x80000000000000001535053Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:49.694{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9B500912EB1370852A69DE08BB6599,SHA256=8C3476A44D7BDBC7EDAACE11A939DD40EF229589A27BF08531D97B8D3AFAFC08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:35.888{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-291.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal123ntp 354300x80000000000000005426794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:35.755{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63348-false10.0.1.12-8000- 354300x80000000000000005426793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:35.223{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63347-false10.0.1.12-8089- 11241100x80000000000000005426792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.489{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.489{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=721B76ACC69BCE6BA90A355E7B0D3D4B,SHA256=A95923147CDCED7A22211944235BE3DD8D9C6212AA4FC3C807CDE37825BA243Efalsetrue 11241100x80000000000000005426790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD13AE6A3B5D23E387A9AE7880897998,SHA256=2C14C75B11EA3A9BE3ECFBA0AD9E43D9C23E86C93A9D048FA2F3977B9131FBF0falsetrue 23542300x80000000000000001535052Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:49.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FF250091392C068715E0C347877DC14,SHA256=1DB12DFE763AEFA705A32E4976B37BF798021F661C2AA5350E10BECEA90C0353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535051Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:49.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1C34719120E562D98FCEAB6C40B245,SHA256=AFBD9903A801D35CF1A35EC003FD0653B4B99DFB7559205FCE6023FC13C7B1EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:49.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C505734A583C9A61FED82A3DEBB6CDF,SHA256=FA5E48CD2250F90A17A00CEAE55BB13FC65FC05697D877FC13C9314BD6C14DB2falsetrue 23542300x80000000000000001535055Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:50.715{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8C6E6A92DA6224D16317785CC0757A,SHA256=BDF3015103C593F3AEF4F2DA87FC39C33B5EE852B48E3596A4929817DC1DBE15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:50.520{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:50.520{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE519F00BD4C4CC8AD4DC473CF5C45C5,SHA256=19F3CC183FE6B0165280DBC729649B22C01079AA11A7BB2F938F4206527B14EBfalsetrue 354300x80000000000000001535054Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.889{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-296.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 23542300x80000000000000001535057Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:51.737{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB1F9B7AFB73E0F0295B6F7AB9B4E18,SHA256=4CD8A1DABE6DE10E124B27E79CFB93D481A2054FA76BD9D67A9E9B109228E9DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:51.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:51.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3AB3F956E368FA072E437A7F774DD0,SHA256=923407387F767A70F079731720B9592E84898C16092ACD88469539B3B9F26C0Cfalsetrue 354300x80000000000000001535056Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:42.890{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60597-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005426801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:52.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:52.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06572C8B5CA6026C990E505E71D99859,SHA256=3CDD426CD5669EC137EAD06DAA1001C75E6FDACCE72E3B5A7DA349984268CEBAfalsetrue 23542300x80000000000000001535058Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:52.740{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A548B3122D2833CBDCEBF10402EA5ACF,SHA256=9F336583F962BD03AF73E7536527186C05837EBED489BAB40A27CA8A940D1976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535059Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:53.743{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B204BC7DF84D24BDEF3117800130DCA7,SHA256=725097065E6DF4636EEB219940CA7E9E0C4F2F8D741D0A7F61AFD8737FC15F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535060Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:54.762{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4F503A9CE57565803E03F7F612A70E,SHA256=ABD9A8648E8B2A1106EE2F636EF3A8AB0B6AA3B0A5F369F9D0A950F9A3DD7A3C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.567{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.567{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9963C27E7F7CFB9B037F771ACF99AD7B,SHA256=976FA9E55F72E28D36D30930690CDF4DDE4F4DE8AE185C84465F495AA56721ECfalsetrue 11241100x80000000000000005426809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D6992896746F004BDC795930D02B4913,SHA256=B4612C83B9E92EFE0183F9353115F808392953EE4F5F681C6118E8DAB4D95C33falsetrue 11241100x80000000000000005426807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D4726101AD473C021E9966EE7B80685,SHA256=3E887432EECC9A1D0C1BB7106D6D9BF980E51BF20B8455980FCCEC73CCAD811Ffalsetrue 11241100x80000000000000005426805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7121631E04B1DE38C3A1C12838AC4348,SHA256=138574A4F52A86D956C12C39ACB9292D09DD9F97C3BB22CFBF9DF357EEDE6198falsetrue 11241100x80000000000000005426803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:54.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2135A9D6BE00033D1C3ACF98C5BEEC,SHA256=1D82BEB29327D49F5F8D0B6C3CB41A2D865C100E242AB12FDDBE4366BEDFE6A7falsetrue 23542300x80000000000000001535063Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:55.765{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E504F2B6E85BF3DAC99EC0E1053DDE,SHA256=18F57812DABDA09C03A249D6A90B59226275E4FD3F650F026B176EDDD7CF1597,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:55.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:55.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3EF768D26818EE3A1CDA86BF5D2981,SHA256=EE0393773A01B904B7C2AC157F8E73EAAB80CE03C4BDD521D915AC98F8497901falsetrue 23542300x80000000000000001535062Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:55.178{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AC2E9C31DF85861827A1FA65FDCB0C4,SHA256=DEF0801FBA88F5E4C0721A6582ABA864891BAD6E29179F1918235AED6C52208C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535061Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:55.178{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FF250091392C068715E0C347877DC14,SHA256=1DB12DFE763AEFA705A32E4976B37BF798021F661C2AA5350E10BECEA90C0353,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:40.801{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63349-false10.0.1.12-8000- 23542300x80000000000000001535065Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:56.768{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2981F683D90A6DC76F1B9069EA0E1E5,SHA256=E116428288929B90F1DB5738FE491F383200FF37AA1DF643E3C71B60164BAADC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:56.317{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:56.317{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBFABD8EBDE8346101B3558FBBA62CD,SHA256=A02292C101A222C6CFCD738306E99CD643AF7955C7C376C4E6A39E4DB4217E63falsetrue 354300x80000000000000001535064Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:48.685{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60598-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535066Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:57.771{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30865556EECC9EA2CA49D46793B3B3DF,SHA256=6868218E2CDEABF9042ABBFB13B6812D890E2108A323194A93119A98EBCA9C73,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:57.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:57.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685FBB63F00187DC220453CA68210F11,SHA256=67815C0EAF344A901815C67CDD1D6703DFA3625D970B634590AF3A6EBF83BC21falsetrue 11241100x80000000000000005426824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7BA0711454E546537065FD22E0CA0792,SHA256=1D7A80B443360B9BA5166A728D3FA10E9CA2C31BEF2B0310A43F298977614437falsetrue 11241100x80000000000000005426822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.848{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.848{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AEE8E10245E33F9F365CA8C6DD4A597E,SHA256=43B6B0FE99FF38D05EA78A7E6A8FC4F0B26E74A655207E0ACE5C7606F0342A64falsetrue 11241100x80000000000000005426820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:58.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A755808F40566F38129172951D64AE4C,SHA256=E32819A27E291400F2713A19D62CC7DF594283E88C01576616B5C81E5AEE5766falsetrue 23542300x80000000000000001535067Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:58.774{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC8733A6ED07EF3C0C9B845E4ED3D67,SHA256=23562168866E7764D40655FD8F3CBD9DEE55DCB87D72D1068E7A0F742CAED42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535068Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:59.777{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC012AE1EE5DEC1BD53999C62A15C671,SHA256=A6D7D6A558794601DCA22ECFCEE718D49151AD0D8E7043BD7B397BF028F4E176,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B8BFCAE254D62C1D898D7FEE1FDBCA9,SHA256=7990A6456AE1DECEF0D3900E0856B9A224CA263F1030CF182A4493C7B5490F5Efalsetrue 11241100x80000000000000005426830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146EF0269012E29A8BC792B262C97F7C,SHA256=E4759E311CBCC0B4D8BFEB5F7C88082C16F84B690240AAB818170111993E610Cfalsetrue 11241100x80000000000000005426828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1641A8E3B68D93C9C4B8604859BC9CA2,SHA256=697718F4C8206F3282FBD919ADDC0C4E53E6F8A9B67E31BFA423640CB6135266falsetrue 11241100x80000000000000005426826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:59.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CD1BFD9D3450F94DF68CDBC3E332843,SHA256=6F7FCBE21FD261A9253953127A6D70B453C90233E9E66B73FDF50ABCEB9BE0B0falsetrue 23542300x80000000000000001535070Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:00.780{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7428B622D169D27CAB1B047AC22404B7,SHA256=A7590F6D575D688F2A8A57D861838E40EDAC820B14C376926DA4DD898AA97C54,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:00.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:00.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49ABDE37DAE1D729DF90ABDC9DE2E643,SHA256=7C8984704E61D4C8346A53BEDEDF8096709A9658F9D9B46046E98FA9A2755DE9falsetrue 23542300x80000000000000001535069Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:00.043{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AC2E9C31DF85861827A1FA65FDCB0C4,SHA256=DEF0801FBA88F5E4C0721A6582ABA864891BAD6E29179F1918235AED6C52208C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:45.864{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63350-false10.0.1.12-8000- 23542300x80000000000000001535072Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:01.783{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660745F051108E56481C5521D562F252,SHA256=53DBB8BA085585E2F66BFCA670607EA7BC896D06CEE50C40F449A7CA512BD624,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:01.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:01.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E834CCE6ACDBB32BA0896C09B54C31B,SHA256=571024EE15DEACEA98FC1AAB0D0726137AC6CB318DF26D88A202B3364610830Ffalsetrue 354300x80000000000000001535071Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:53.701{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60599-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535073Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:02.785{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE46A0445605CA6FA9A3A5FEB6B496A,SHA256=D8DBB2C94B3BA1809D7B0923DF8A1C17355C4C59A38083AE601AD743A6A247C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.723{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1641A8E3B68D93C9C4B8604859BC9CA2,SHA256=697718F4C8206F3282FBD919ADDC0C4E53E6F8A9B67E31BFA423640CB6135266falsetrue 11241100x80000000000000005426839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.536{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.536{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B117559C10C3F91FB7B8D82AC2FCC88E,SHA256=68862CBDD782622C36DF4983A5DDC56C039F6FBD3CC54B2947596F3BAABF32F5falsetrue 23542300x80000000000000001535074Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:03.789{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316BB85D17B99C7592D7DA67A0228348,SHA256=34AD142BEE1400C5E00FC8A6AB053422D66F49968BB83F30A0EE438B06550207,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:03.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:03.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5145BF483FB462906FC0F63E8EE83830,SHA256=4EB0A201150FCB7366D01512FE34C3B8DC8245EC5E45BFE5BAC8B66C5DE464F3falsetrue 11241100x80000000000000005426843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:03.598{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:03.598{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75113F4838875E38D76A602CD2BFE5D8,SHA256=2764A550749EA9E89E8C797E5175D57C18F7664393FC0700C01FD121985575EDfalsetrue 23542300x80000000000000001535075Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:04.792{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9112B382E2AF2A3A00BF652968FE6F0,SHA256=5D04779B9EDA71C0DE17A57F6CC51A5E5D13DCE38AA9CA924EB65E3A2EFD1231,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A20B935EABA0CB9600526D35879A3A0,SHA256=A437F214196B974A924F51B0136E45251046FECE368AAF9AA2036EA1CBEF43DAfalsetrue 11241100x80000000000000005426849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7EB691B40FBEA66CFB3724EE5BAD25,SHA256=5D3303D266831F0A05D3DAECF344BF92E880D58E94728CF8E01DB77C8C1289B7falsetrue 11241100x80000000000000005426847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.020{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:04.020{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=660106451C709D6EE383278B41951BC3,SHA256=C7EF41846454FBEAF7A1627D7FE6DEFC2076929425C7E94DD631BBF0F84C2903falsetrue 23542300x80000000000000001535079Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:05.795{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF0961EB145D49C3B08C4D90BFF8258,SHA256=90933E409587E7F4B39DC45040CB780EE71E2CBCD9719AEE60244448940A2BD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005426859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.817{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.817{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005426857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.817{4DF467A6-3F47-6132-0C00-00000000F001}8368104C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005426856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CE0EB2DB5DF3BDE58D173E9B460200,SHA256=ECC62AAD7C9647BDCFD1AE03F485A128365E5ACCDE2EE01B8BB8FF2BA55E4D7Ffalsetrue 23542300x80000000000000001535078Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:05.757{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=51BDB4898F3506A3533FB32B0F89FEE0,SHA256=7FCAFD25AC98F05DB11648671A0EA211A4087FF2DD75D007EF70F8A722F3D572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535077Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:05.378{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3222A57B26887F99D2CA807F4C567EF,SHA256=62051FB0DB8B0994225215E5FF8BB17DF16E9400F7D1FA74C97AE0CE3DCF39A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535076Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:05.378{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0D6247FCE5077A7FBD27727B1375CB3,SHA256=4C84CDE2BB50A0376503EFC374BC259301EEA3E3B78DC4264A06280A7794A4B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:51.738{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63351-false10.0.1.12-8000- 11241100x80000000000000005426853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C15A958D6A2A6E1D399257A068CD01A,SHA256=005B7CBC567D7D5247BCDF57BB87064B83AF68882246CFC195E8187075DD95DCfalsetrue 23542300x80000000000000001535081Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:06.797{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53B0B6EC89C930196686B1CCBE4E458,SHA256=F475648763A91617085EDA28EFE22D348DEA0D01D645EB284EECE9A51093D5A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:06.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:06.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC65AEEB5F3B4922BDAB6B1FF04F4850,SHA256=5497A04253FFC21F07743B51A424088008CCD6D094B96F45C3B1ADD64C7F824Afalsetrue 354300x80000000000000001535080Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:09:58.813{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60600-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535085Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.799{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215330F575B8B5F115259B6E7A42E547,SHA256=2214A3F268CC5A1C5205E032E25F3A4C035FAE05857099542F60EE9AA7A6DEDD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:07.728{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:07.728{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3A1244E680BBD405A393D8DE644C350,SHA256=CB1420E5E97C034903D3845A8E33485A260FD448C01ED54D6F3221ACA16F42FCfalsetrue 11241100x80000000000000005426863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:07.712{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:07.712{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78343E0A6610BDADF251C54A3AD7739,SHA256=6AA2B6088C5456AA830FCF6300755A1888B0746E75F3C0A57CC4FE3179F2F5E2falsetrue 10341000x80000000000000001535084Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.646{AEE49BD1-4464-6132-C502-00000000F101}45004828C:\Windows\Explorer.EXE{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80137AEF8A8)|UNKNOWN(FFFFF8CB6D4A5B68)|UNKNOWN(FFFFF8CB6D4A5CE7)|UNKNOWN(FFFFF8CB6D4A0371)|UNKNOWN(FFFFF8CB6D4A1D3A)|UNKNOWN(FFFFF8CB6D49FFF6)|UNKNOWN(FFFFF80137807103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001535083Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.646{AEE49BD1-4464-6132-C502-00000000F101}45004828C:\Windows\Explorer.EXE{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80137AEF8A8)|UNKNOWN(FFFFF8CB6D4A5B68)|UNKNOWN(FFFFF8CB6D4A5CE7)|UNKNOWN(FFFFF8CB6D4A0371)|UNKNOWN(FFFFF8CB6D4A1D3A)|UNKNOWN(FFFFF8CB6D49FFF6)|UNKNOWN(FFFFF80137807103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535082Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.646{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1a4b1c10.TMPMD5=D01734B513C185F70D31918B721F4959,SHA256=42EEB2A2D24121428DB1C3CED6B22CD4D28DD42208C27788AE4A4B1C5C2C9541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005426874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.996{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7177MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005426873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.995{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71772021-09-08 18:10:08.995 11241100x80000000000000005426872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.994{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71782021-09-08 18:10:08.994 11241100x80000000000000005426871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.962{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.962{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B53422C70AA3965DF7F0B7F5309E47A,SHA256=285244C15462FD7456223F9F5E0C375B1C61CE3CA173E697948904C6952F159Ffalsetrue 11241100x80000000000000005426869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E2D3D781AFF8B88E1DCB84900D6A9492,SHA256=CBE64336F372B2A687B56A600462780FBAA049989AB46ADE65DBD75AE0DE662Afalsetrue 11241100x80000000000000005426867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE16A63CDF09EFEC6A12DC79CD82F88,SHA256=7078103527584DECEA83F9B1648E82BE587BA6939781B81B4D146574C40FA220falsetrue 23542300x80000000000000001535086Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:08.802{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBDBF62018FFB3700F08F5260EA86C7,SHA256=0320E4244455F95DB496E20889331B025C6C2B51B1934793B9D2DF5B703A5581,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:09.896{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:09.896{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2428208ABF7E534EE6B52D25C6BF923B,SHA256=2642FA282D0A8982566E5C22267CE2A174CC0F2189898AE6DD73DDF103D6C4CDfalsetrue 23542300x80000000000000001535087Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:09.805{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9FAB535966E6533C1979E18F342E6E,SHA256=201AC440A70E60590A74335E25717EFF0F79201E0BE71FA9DB95E499AF8314B3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:09.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:09.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7DC3DEB60CC257F805879BE6CB44265E,SHA256=631955DF23F6BD6B91C11EB1781336BEAB596A41FE7A9268C1CAE85C45020CC7falsetrue 23542300x80000000000000001535089Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:10.807{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72B601A4E615CC4B04E8C3F0F85E3CD,SHA256=3DFCBB210956AC48B1830BA07963D9E2E0DCBB583297674848888CDE64927084,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:10.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:10.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD5AD0EE466C248645272CA443841382,SHA256=3F56F8985E58566B709FB1311691EF0496F4FA4C240D758E52C3466E852C62F9falsetrue 12241200x80000000000000005426881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:10.175{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005426880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:10.175{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000005426879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:10.006{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7178MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 23542300x80000000000000001535088Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:10.273{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3222A57B26887F99D2CA807F4C567EF,SHA256=62051FB0DB8B0994225215E5FF8BB17DF16E9400F7D1FA74C97AE0CE3DCF39A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535091Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:11.811{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6477949524165B73A8202CB322248053,SHA256=AF54EB4B6FCC9DC0EAA59B558F032B3149DDA43EAD227802B82E44263336B69A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:57.831{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63353-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005426887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:57.831{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63353-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005426886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:09:56.880{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63352-false10.0.1.12-8000- 11241100x80000000000000005426885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:11.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:11.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0543EF6FFECE06AF59875F9AAB927A11,SHA256=FD5053D166EDF8B6BDE8063331A9CBB8E4E62A80A4B3E499F789B298630436E7falsetrue 354300x80000000000000001535090Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:03.911{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60601-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535093Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:12.960{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535092Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:12.814{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00414113F7568CC12DC13FBF7D9C3823,SHA256=86D96C097BF8D34738FC54A78936997D2A62FECDE20A0E0E827DC15B5E29D2D5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:12.288{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:12.288{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416DC9284328C10AADFF5A91FA9C5E0D,SHA256=949425AADA899F37F0C97B6184334F783CD7701842B3D2166B77A074BBF128B7falsetrue 23542300x80000000000000001535094Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:13.863{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033D74EB9B5F092AF1CE6FFB3A653993,SHA256=AC9CE49B3A5575A711D4A5F5F3380572B33D858A827C0C660499EB2D52128D20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4E316C94F475ED2EC70174E9DED7E5B2,SHA256=D534F15C0A99260EACDE20D10917B9B0A5AC1E89B2827154FAC2C4FBF7369DE2falsetrue 11241100x80000000000000005426892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AD20CFE7604185ECD0C86263809D1F,SHA256=DD0F7667F7D809AC50E8C336160812EF850E1BCB9F30BD2067F34A00431B07D5falsetrue 23542300x80000000000000001535097Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:14.866{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B9E0996A98462B637BFEEC4F5E0CD7,SHA256=CE514137C2A7AE419E83AC7BDFBDB38BD5C71EEE40976B652C5F1BD88AAB70C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:14.756{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:14.756{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5CF548F6F00DD6DCDB6DE58973A07C24,SHA256=19844363C18FA7B0F18ED07A48405061E38F6CFCF14348FC080143991BD9700Dfalsetrue 11241100x80000000000000005426898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:14.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:14.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC82B27C9AE3B6D7076BAE24A123273,SHA256=8FFCC86894B508FA8072243F36EB39FD29E48205C098CFD7EE828C8563CA4A81falsetrue 354300x80000000000000001535096Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:07.621{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60602-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001535095Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:14.132{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB16CA6251408CE304272E6672BC9D79,SHA256=8E5E3BBFF0595B0EA329516B953BE92A6FC296041E1FE2FB494A7D1934662B94,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:13.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C2353D5B70E41F4989FCD591D463786F,SHA256=D2AF1329496D2F4CBB1A724126F7B95023FFE122392E1E3E4291C76AD184A08Afalsetrue 23542300x80000000000000001535098Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:15.868{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AB8169A0764D998566FFC764B39F90,SHA256=BF7CA969916F37EFE2D467FE06B07BE672CDF5834F9EA95138546DAD767C177E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:15.428{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:15.428{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D302ED8266651255C6A2A03DD2E418,SHA256=14C096777FB3B821923722CDE153E1AA049A4C40A085803EE0A4874CF2C9D1D4falsetrue 23542300x80000000000000001535101Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:16.870{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B705C48583A9E33987AF6179B64F384,SHA256=E4D193FD47528AADB21293B64650386F18EFE678CD1083BBA6F8EADA1CF2391D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005426909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:02.912{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63354-false10.0.1.12-8000- 11241100x80000000000000005426908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F534FB92F635C5480374A0A1596B51,SHA256=EE583BBFE724741CD5A4D190CC52BE2A888E1E47DC27374C2559A8890169C134falsetrue 354300x80000000000000001535100Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:09.726{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60603-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535099Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:16.068{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=725B0C50F7B1883D36BA62547C4A3E95,SHA256=81D47305ED2AD1FD30D9D3D5B16FE6CA5C67C42F898E4594967CD7105A94BA10,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0CF9B0B844F9D12A8AE98234D43F10C,SHA256=CF83FE7FBB9EBEB80E2A37F0235811916308B5324A2024119A311F90F2232F0Dfalsetrue 11241100x80000000000000005426904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:16.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94BE5F82CDA449491BE429070DB7A589,SHA256=01940F195F659E046C3D9E8D804675B27F23914FCFEBC7EB7659B7B4E4DB88F4falsetrue 23542300x80000000000000001535119Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.872{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B898CBF929377E03C1778B86BB7D7C4,SHA256=F6379B89909C14798282444E809DD033A8F160932E889ACD2F687F9745B9DBB5,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005426923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.694{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005426922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.694{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000005426921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968\lsassC:\Windows\system32\DFSRs.exe 13241300x80000000000000005426920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 12241200x80000000000000005426919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000 11241100x80000000000000005426918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML.TMP2021-09-08 18:10:17.678 12241200x80000000000000005426917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 13241300x80000000000000005426916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Config SourceDWORD (0x00000001) 13241300x80000000000000005426915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML 12241200x80000000000000005426914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 11241100x80000000000000005426913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:17.678{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML.TMP2021-09-08 18:10:17.678 12241200x80000000000000005426912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:17.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005426911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:17.491{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:17.491{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7035318DA72ECCD39564DAB925836662,SHA256=500CC8EE69308B0DBB129FC8ECF15AF045000D133EC09C8E8A56AC180956AFB2falsetrue 10341000x80000000000000001535118Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC89-6138-25CE-00000000F101}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535117Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535116Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535115Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535114Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535113Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FC89-6138-25CE-00000000F101}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535112Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.772{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC89-6138-25CE-00000000F101}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535111Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.757{AEE49BD1-FC89-6138-25CE-00000000F101}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001535110Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.224{AEE49BD1-FC89-6138-24CE-00000000F101}47525840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535109Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC89-6138-24CE-00000000F101}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535108Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535107Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535106Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535105Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535104Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FC89-6138-24CE-00000000F101}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535103Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.092{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC89-6138-24CE-00000000F101}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535102Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:17.087{AEE49BD1-FC89-6138-24CE-00000000F101}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535129Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.874{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA48961D5014D9B15810658DC4E8D79D,SHA256=451B90C9FC431A24B46B6B215ACE1966EBFA6DB203ECA4540A62885E06331611,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.881{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.881{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5D36540082CF519D1B1CE127880FD516,SHA256=69237D2B6E32D3F88D72C5AACE5BD5D8943BC03FD4049B111D583699192A1928falsetrue 354300x80000000000000005426932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.347{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63356-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005426931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.347{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63356-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005426930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.335{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63355-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000005426929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.335{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63355-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 11241100x80000000000000005426928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0CF9B0B844F9D12A8AE98234D43F10C,SHA256=CF83FE7FBB9EBEB80E2A37F0235811916308B5324A2024119A311F90F2232F0Dfalsetrue 12241200x80000000000000005426926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:18.709{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005426925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.506{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:18.506{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E28D759B5DBE1E3446B7717B2D20122,SHA256=9D549DA1D05581705F9E01C86205A9DB5844B9E8CA4CAD3F387FD2B82E4AE5B3falsetrue 10341000x80000000000000001535128Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC8A-6138-26CE-00000000F101}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535127Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535126Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535125Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535124Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535123Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FC8A-6138-26CE-00000000F101}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535122Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.326{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC8A-6138-26CE-00000000F101}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535121Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.312{AEE49BD1-FC8A-6138-26CE-00000000F101}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535120Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:18.093{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D73BF00492ABF610D39AE80549382751,SHA256=D4E8F55786F468386499EF6B5224435A73D5F759003E5E633154879C2FA4ECF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535131Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:19.876{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0162FAADBBFE6D3073DF691D3411A24,SHA256=34E116B774F0C1172D5D9755C618BBD60325F5CD1B96C9011238B0623FEB1577,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.803{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.803{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DD4F46AB11DFA5FE4A2497644566CD08,SHA256=356989FBE86D9F7B8B91659DEB285C73E3AA0841AEB0FADE5326318FA30A2C37falsetrue 11241100x80000000000000005426942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005426941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58D95923CA34FC1CC593093A957E3470,SHA256=FF827BFC09DAD7421BD94B0DA92322A5048CE84028B4EF9B27EEC79681581BBAfalsetrue 11241100x80000000000000005426940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.553{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.553{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104762EC0D7C1BE8BC99981C86486150,SHA256=37D45C1118305E10630EA5043A7DF79A9D7504BB257B33AB8B248D74B998D9BCfalsetrue 23542300x80000000000000001535130Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:19.312{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4673ECA7718C7E14E7F96EC19141DC6,SHA256=559BE33F5C3EC7922966AB08826E8FD2CFDA60A5B50B8F8B1CEACAD1D0D40AE4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005426937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=760A4DB77E220C489E57932436526C36,SHA256=9ABE930747857E456112348105C6A16DDAAF932FEA61227EF000EC546900D137falsetrue 354300x80000000000000005426936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.352{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63357-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005426935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:05.352{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63357-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 23542300x80000000000000001535132Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:20.898{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C5AC531D118ED7DA9B7C1B91BF63A4,SHA256=A9EEC6D80DC6905359BB865D65D499C8A6B7E651E6CE85A6362C019F2D225C61,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005426946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:20.584{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005426945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:20.584{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B212C473EE336425BD0E2D66FB1FDBB0,SHA256=4DDDA58338E706BCCB6B49E21C534BA36855A6213A3DDD73C7D9A82FF0986F76falsetrue 23542300x80000000000000001535135Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:21.919{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D312AC3DE7DB4353D9634455F1E132A,SHA256=4F24E29CF352B96CBF1618DDD355C5C883D545BD94E65FEBD6C4B72FDBBE66F5,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005427057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.944{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005427015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.928{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.929{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.928{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000001535134Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:14.855{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60604-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535133Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:21.198{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7DB0E7BFE26756D4F39486D19D0D26C,SHA256=05A1F6B570946B750292FDFC576B13B657B4F1EF93E619D8F882D15A90FF50BB,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005427006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.381{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005427005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.381{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.381{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.381{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005426999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005426998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005426997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005426996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005426995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005426994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005426993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.272{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005426992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005426991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005426990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005426989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005426988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005426987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005426986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005426985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005426984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005426983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005426982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005426981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005426980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005426979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005426978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005426977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005426976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005426975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005426974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005426973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005426972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005426971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005426970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005426969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005426968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005426967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005426966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005426965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005426964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005426963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005426962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005426961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005426960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005426959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005426958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005426957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005426956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005426955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005426954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.256{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005426953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:21.241{4DF467A6-FC8D-6138-17D4-00000000F001}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005426952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005426951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005426950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005426949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005426948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005426947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:21.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001535139Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:22.922{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745A43822E36B3AAFCA4E156284A3F60,SHA256=A48F62D46E5D4035126EB02BA8A99B458A8B4BB3095E91A2BB32265F2776763E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535138Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:22.467{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535137Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:22.467{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535136Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:22.467{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005427125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.913{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.913{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC1B70EC23B6A46A70B695A24758244,SHA256=8669EAF2D28D29F11718C223141340F948B6650E6A0B5D00DC30C55D9A1777A4falsetrue 534500x80000000000000005427123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}77406508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.756{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.647{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.647{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005427081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005427075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.631{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.616{4DF467A6-FC8E-6138-19D4-00000000F001}7740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:22.616{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005427066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16889D63AEA73D3391B3B36345CF38EF,SHA256=D75F25AC6D8C15F7BA745D12866500B3386EA4FAD149F75FB8768F75F0E2D356falsetrue 11241100x80000000000000005427064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE1B2C9E78C616DBEE343E4C63E501D,SHA256=E2F385E8A318141EF0C525642C3B10179D7CD15FB0B64ECEFDC612E048D47FE5falsetrue 534500x80000000000000005427062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}66647240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:22.069{4DF467A6-FC8D-6138-18D4-00000000F001}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001535140Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:23.925{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F918219E124E621261A1D87735B6E5,SHA256=65F6C44DAC089FCCCA73D0A4590793F57E50F0E18CC631096701D51BBD7DA96F,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000005427192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005427186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C96EB1A30AE1232902CC32F43C3B921C,SHA256=9B6CB3ADF6EA98F9F6309AEA9CC8F1FFF2FE91A46DEA0786219B8E3033B65358falsetrue 534500x80000000000000005427184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}73605144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.444{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.334{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.319{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005427137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.303{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.304{4DF467A6-FC8F-6138-1AD4-00000000F001}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:23.303{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000005427128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:08.756{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63358-false10.0.1.12-8000- 11241100x80000000000000005427127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.053{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.053{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E328360DD62B63AAF41AE2A2BB8981,SHA256=5BAE8B9C469669017CA3BA973455E2DA4C6BDB2D5E41ACC5B106DEF98FC98A56falsetrue 23542300x80000000000000001535141Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:24.928{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25FE5CC98AF7005EC6D5AD94F5007071,SHA256=A2B2F03312504DDA22503971F1228D18B01C49EE40362DD67C81377845119D8C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.975{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.975{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565F309B6CA43445589E4A11F7896759,SHA256=3249FD8F461B9C84892F5F781B088B07540EF7084615A0CBEABF94B7B14CF014falsetrue 11241100x80000000000000005427322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B5B87BE50C6A65B448B4B5815BA1B548,SHA256=82AD4EA88826BF8AF3E8165356144B6ACBDCBE29CA92311799E88156AAF60583falsetrue 534500x80000000000000005427320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.819{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.819{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.819{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.819{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.709{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005427279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005427273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.694{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.679{4DF467A6-FC90-6138-1CD4-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:24.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 13241300x80000000000000005427264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000005427263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000005427262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005427261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005427260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000005427259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000005427258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000005427257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000005427256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000005427255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000005427254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000005427253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005427252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005427251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:24.413{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x80000000000000005427250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BF905ECCBE33ED5C033A43EEF701CE2A,SHA256=75CBF179AB69A662C1772AC2FDC99BF9DB845CA9E772451E55AD0B00CCB0FEFCfalsetrue 11241100x80000000000000005427248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3FDC2D615F365BF370F31AE9CB5DA3,SHA256=0868C7B4BB63481F1748E9C87561984D0FC7325E6FC5B97E8640C29C9890259Bfalsetrue 11241100x80000000000000005427246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7E35193D799ACB5478FAAC4594CFCFC3,SHA256=B97819A5C41A85BDCCCAAC74772D31ACDDBCF4F83044CEACA6C8BBD36662FB78falsetrue 11241100x80000000000000005427244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AA9F614A965E404ADCA3D366D5707C,SHA256=7CFB073BE45F7B6F451F9A6F91FEA7300ACCA04CCA5706AF02307D6B0059D845falsetrue 534500x80000000000000005427242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.131{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005427241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.131{4DF467A6-FC8F-6138-1BD4-00000000F001}38805700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.131{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.131{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005427234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005427232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.022{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005427212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005427200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005427195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:24.006{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.991{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:23.991{4DF467A6-FC8F-6138-1BD4-00000000F001}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535143Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:25.930{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5ADB1203429B9C1F658E43CB2A33875,SHA256=B33E68FD7632F3F8A313DADD443CDC90146D0B742988B599850C1198E7716761,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005427384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.381{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005427383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.381{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.381{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.381{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.272{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005427376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005427374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005427364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005427346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005427342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005427337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.256{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.242{4DF467A6-FC91-6138-1DD4-00000000F001}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:25.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:25.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:25.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:25.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:10:25.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:10:25.241{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005427328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641ADB23F024A98E69501F79EA702ADB,SHA256=4EF77E24688B1B264EA658FB9C754BAD6837B649D04346336BE463277890FF92falsetrue 23542300x80000000000000001535142Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:25.531{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7168MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FE9159EE426801D2B71A546356C4A38,SHA256=C606D6727BE537E7EA2313148B5AD1DC31D77815FE15BECE149FE98125C51AB7falsetrue 23542300x80000000000000001535147Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:26.933{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0E1D128E08AC41BC133D4AA12FEAC4,SHA256=C37CF886FC11F61B43DCF558DF97ABF9F8A374D4FC956299086EB079393150FB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:26.381{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:26.381{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929F3662A2C4B271E578DC15C150D431,SHA256=76AB5A60D406A5D37810E7568C908D647348AB728111480F532A130B7916F8DBfalsetrue 11241100x80000000000000005427386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:26.381{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:26.381{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E82E7EFAE6580D95684BB2413C41397,SHA256=BAAE7A7E9400259A69881FC4FD87AB30D0B53E511B9586D4E24EB5F5D6BD3A38falsetrue 23542300x80000000000000001535146Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:26.532{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7169MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535145Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:26.262{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE875F8A42445A9767A285DDE987C581,SHA256=3ADAC0BACB4A31D0E3AD418399ED2BF599EAD3B3773C01F84FBDD493D6128998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535144Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:26.262{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A8FB37AD7AC103A479186633023E638,SHA256=0530421890C1463C35DC0165BBC9BF655110C2EC491F98A4D749C0A9CBA5EF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535149Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:27.935{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB6F3DD70AEA195DDE8871F819E5D3F,SHA256=46B77F9730428C7D6C081AF6E2B3C66AF178EC6934BF1FCBC747B46210644F32,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:27.795{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:27.795{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BD4F64538FAE33F83E98F87B05E29BE,SHA256=415B50BF247BC472028D0E073455446BE39AAA33FD345A1A1C9BC90E849BC98Efalsetrue 11241100x80000000000000005427390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:27.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:27.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56B8888072C3CDE2B2B4C2DE417D919,SHA256=D8A7A612C6C1BCAA3CDA977748EEA1D83635C70357CA8F0E08C9324E2B8284A3falsetrue 354300x80000000000000001535148Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:19.888{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60605-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005427394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:28.405{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:28.405{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516A32E8FE55EADE9BDE56EF645FC5B8,SHA256=3EEF62E5D6F08F2578B20534E4A690612C2E1DD02DAF82C305BFCC977AE9C2EDfalsetrue 23542300x80000000000000001535150Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:28.938{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409CE53A67235FAABA7D64739F40AB21,SHA256=E560F52C5AF12E424DC8846E67A523242DE5AD883E80A1593A6E8B80BA131E21,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E09F1021879B01B1DCFFC0263CD8D7F1,SHA256=54BE08138B967ED135DE6DB3EF698EFC1FE392A7C69344ABB488DE6393C73F0Efalsetrue 354300x80000000000000005427401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:14.794{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63359-false10.0.1.12-8000- 11241100x80000000000000005427400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.420{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.420{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD8F41F497F12D968EDBDCE4E3901FA,SHA256=A666E52F24A8817E68E26CD5D07B032677F58D2679645DE72F37193070746BBEfalsetrue 11241100x80000000000000005427398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4139D0FB58D7B25890501A77CE8F6AAA,SHA256=E7704C7DCA37026AF08ACD39DF7D66D0069A16533E88CB6378321F6A877436C1falsetrue 11241100x80000000000000005427396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:29.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=564CF03E9132AEE37E3B448B264F6520,SHA256=9E68A92A2DF64C07818539A44A5D412BF5070651AE8B913E28C45C665F2FCAC1falsetrue 23542300x80000000000000001535151Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:29.973{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F0F0CBB9869C8BD6F784B158A4FCD0,SHA256=A2424938B51B7D2B793DF096ECCB82036B1BA7F019B1A70503223C9E769E617F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:30.436{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:30.436{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CCA234B2D8276D273E09609D5C76DF,SHA256=C7FEF67DBF659DAC1516565A04637E3C25196DB60FDF383B3C48B9929063296Ffalsetrue 11241100x80000000000000005427405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:30.233{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000005427404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:30.233{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=303D0E05D1333C723E7E0B48D8D7F0D2,SHA256=275EB5B98A35DC6870D260BF50AC2FC4F24109AC1ECBD07312A4D74ED25E3C73falsetrue 11241100x80000000000000005427409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:31.451{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:31.451{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7A557722C8192FDF6BC0C97FEB12A3,SHA256=B1A34F356621808BBDA32D0A565F88F8716B36FB18AE520A8E034B657D764AC6falsetrue 23542300x80000000000000001535152Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:31.007{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3065D378C0DC757CCB4030BB4F91E7C,SHA256=59DCD2FA9F503C5CA577EE1407263EC6BD34311BF4BF6D9471D54CBFEE813D17,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005427412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:10:32.983{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 11241100x80000000000000005427411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:32.592{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:32.592{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB541D21A1E276D56039CB1C99A52CD0,SHA256=925920D71387079AF7278EA24363EE134772D94A7F775AFB15B01EB850672486falsetrue 354300x80000000000000001535165Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:25.837{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60606-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001535164Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.580{AEE49BD1-FC98-6138-27CE-00000000F101}5888772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535163Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.464{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC98-6138-27CE-00000000F101}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535162Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.464{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535161Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.464{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535160Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.464{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535159Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.464{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535158Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.464{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FC98-6138-27CE-00000000F101}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535157Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.464{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC98-6138-27CE-00000000F101}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535156Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.449{AEE49BD1-FC98-6138-27CE-00000000F101}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535155Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.348{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0729602266DBD984E6CA02704D6E736B,SHA256=0117A439116917017FC8E124B54604A1EE1DB57962B8EA0BDE28B65DCD76E682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535154Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.348{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE875F8A42445A9767A285DDE987C581,SHA256=3ADAC0BACB4A31D0E3AD418399ED2BF599EAD3B3773C01F84FBDD493D6128998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535153Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:32.010{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA4EBBFB487E44C2C6EE21645E6D9DD,SHA256=022EE8FCEB4ABC2BF1B97546A8F7C9D00A9CF80C660B698916A949A7BE2FBABC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:33.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:33.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB54B1F2BB9FC7D85668BEE86676DE0,SHA256=D82BCC1E11D76D7D6088C631993157915D4EAD4590FD1A678B146B4F792FCDEEfalsetrue 10341000x80000000000000001535185Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.767{AEE49BD1-FC99-6138-29CE-00000000F101}34484632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535184Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.636{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC99-6138-29CE-00000000F101}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535183Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.636{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535182Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.636{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535181Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.636{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535180Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.636{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535179Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.636{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FC99-6138-29CE-00000000F101}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535178Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.636{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC99-6138-29CE-00000000F101}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535177Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.630{AEE49BD1-FC99-6138-29CE-00000000F101}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535176Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.451{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0729602266DBD984E6CA02704D6E736B,SHA256=0117A439116917017FC8E124B54604A1EE1DB57962B8EA0BDE28B65DCD76E682,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535175Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.181{AEE49BD1-FC99-6138-28CE-00000000F101}54241176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535174Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.065{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FC99-6138-28CE-00000000F101}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535173Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.065{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535172Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.065{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535171Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.065{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535170Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.065{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535169Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.065{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FC99-6138-28CE-00000000F101}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535168Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.065{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FC99-6138-28CE-00000000F101}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535167Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.051{AEE49BD1-FC99-6138-28CE-00000000F101}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535166Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:33.013{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336B335CCCBCF832A8CE618A9FC02F6D,SHA256=8E5DC0DC87D35320E6F364F19156646A738C5A54FC10EEB5A98B5209C1A17D34,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:33.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:33.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A475A7B19C0C50105827B91E2A3C4BB,SHA256=C256758DE1F368565CBEDC461B72E996E67D6428C320C08BEADA906122AE3091falsetrue 11241100x80000000000000005427414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:33.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:33.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEB994B88D0B7DE9BBCAD7D8FC0D316E,SHA256=40FE6E95A8B4893B06AAC6473795E3402231A091973B22438F95CEB294BDFA60falsetrue 354300x80000000000000005427429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:19.841{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63360-false10.0.1.12-8000- 11241100x80000000000000005427428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.623{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.623{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE2519344C890AD9DB871F536542916,SHA256=D059D8CA2C2449C4C8B9256326FDD3A5A8F8570037C993CC58F0150EAEEA76FBfalsetrue 23542300x80000000000000001535187Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:34.636{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3A6BE6C579AC99A7B060FDD1EFEBA6D,SHA256=7642245E8C368D2C27F8A2050BDE5A5E9219A39024AA8D3661D5EFE331779A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535186Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:34.037{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2C9163D613DCADC48F4E52477653BF,SHA256=792727714E99B1146E5324DCA001CBFD751408FD083B4D7F074911575EE593C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.498{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.498{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C4C4047535929EC2519237DCA252F3F9,SHA256=061C1D7AA1CF8E79DB27B0CF39F10CF3A92C88B3057FEFA844F313CB1811D1F8falsetrue 11241100x80000000000000005427424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=119090E05446C05BA92291C754FD8D04,SHA256=D678B140257E17F7C05C8244FDE2BB575F64B6ED1F85B94C14A88077719AC06Cfalsetrue 11241100x80000000000000005427422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=039762CA0F58B81600DE4ED649B80AC5,SHA256=307DA07277C5BFEAFE3C0E66ED264F28FD0FD76FC928CA28F95529255286C664falsetrue 11241100x80000000000000005427420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:34.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B1E0F6CBA106F452B17539E7F9E76884,SHA256=A7E948DCB91E3D52CB88DF57917F2ECD9B6D4DA967CD631C0A6C5180E06DAB00falsetrue 11241100x80000000000000005427431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:35.655{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:35.655{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79499B8CEA158D663E3EDFA5E68D0C7C,SHA256=211BCF0F660B62AC3F6CEE5CE98018F293D6BB78E71B8AA2481A31DE68C28367falsetrue 23542300x80000000000000001535188Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:35.055{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1126948AA8E962B1C620B22BD0A62AA,SHA256=DBE33C38909E76861D90A51F88DEF97C83DA7C4E37A3BB8C6F8C6BE3169D58A7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:36.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:36.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF63A9AFBFDE6354237F8D39484567E9,SHA256=6E3007F2C6C1BD6D640D0EF9C1590C61751536B389D320FB6E8C082F912B6435falsetrue 23542300x80000000000000001535189Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:36.058{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8FAAB4D239650872185A7268197597,SHA256=6B113C877CF0FA6A6561A46251106C49E0FEC21B06C81BA154D4333B027C94AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:37.967{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:37.967{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3993EB658C7DD912B489EA4E7E513A97,SHA256=EB25AD9CBA2F2F0F5DCB9F80AD67117EC8A40EBC6595D068A88A9CF4994A3BDEfalsetrue 23542300x80000000000000001535190Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:37.077{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87C1D1DE49B4378333CE359DC70B353,SHA256=DDF6774A72B34D9553E6265340A392CF79F0457C4C45DDBE57A89F6FC6C7E4C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:38.983{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:38.983{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFF17AB52101CA3307A49CED8BE6FD2,SHA256=E10B6604AFB23D6DBED26C19120153E21DD8EB9360F9FA71EB89395CAE5B7596falsetrue 354300x80000000000000001535193Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:31.753{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60607-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535192Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:38.111{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C457BB9E1D78644EADEC1198264421FE,SHA256=2637B056D0B9285385206F74B75F2BE4CC12863FC0693C28B7E5CA7EF48A038B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535191Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:38.080{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B51ED409790DD2B78C46A7592AA7A3,SHA256=B5FA1C80D0A610A4F0B0B03CF3BCD18E5E6075BE4CF9BDA7D1845C6CB65B8B97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:25.731{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63361-false10.0.1.12-8000- 11241100x80000000000000005427445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.326{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.326{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4923B244FF2858D7597E5731A57B3EA2,SHA256=4CE90FF74C26D748E87997D2E1074B89E4576037D45BECD9875AEB5DFC6A6833falsetrue 11241100x80000000000000005427443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5115FD5C8DAA19C023CB12DC4D61E0F4,SHA256=9F8B63FA8111CB97BF1474689AE0BAEC09AEA8FFDCF521D1CF75B184C3BE04CFfalsetrue 11241100x80000000000000005427441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3FD2823381D07AACAD356F51CDBCFA7,SHA256=809EDEE08EA868F28553EB47065B2D8743BF6E9644C9C63C5505582F8D733E75falsetrue 11241100x80000000000000005427439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:39.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A475A7B19C0C50105827B91E2A3C4BB,SHA256=C256758DE1F368565CBEDC461B72E996E67D6428C320C08BEADA906122AE3091falsetrue 23542300x80000000000000001535194Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:39.083{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761C36B92670889916D2D176F07DF2B6,SHA256=53E058F03AAA2C6C78A529807C31AECFEDFB3DEAB4D0C10419137E9DE499E5F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:40.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:40.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FFC91412DD1C3C88817C1F7D5DF32C39,SHA256=CBD8FA1CCE156E40DEEEBCC5B4A978EFB572952010211AC62102B30DADB7FCA1falsetrue 11241100x80000000000000005427448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:40.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:40.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42106CC2105875A3F704A3404BAA2479,SHA256=91FDD24C7FF1927A94BCC66274716B71EC59E0ED724BE425A2FF54EDA5E28441falsetrue 23542300x80000000000000001535195Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:40.086{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D7A4871E24E364C817E7AF400841A4,SHA256=E61713F98DC3952EFDC6C51E0ED3BB102DA382E62651C7B95639EBF669666770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535196Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:41.089{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA03EB7279E361CD0AD9E457E5C1CD0,SHA256=96B7CFAE1F4B6E188FD8D5CBB9663268EB68A2018131C47E9841524DFCB6E4B9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:41.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:41.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADB38444DE51845D2F0B97B1D29C1F4,SHA256=F8866F412140AC7921E345506ACEEAB2435687B4C7A937B55C9521CCC4388FBFfalsetrue 10341000x80000000000000001535205Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.841{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCA2-6138-2ACE-00000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535204Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.841{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535203Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.841{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535202Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.841{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535201Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.841{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535200Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.841{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FCA2-6138-2ACE-00000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535199Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.841{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCA2-6138-2ACE-00000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535198Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.826{AEE49BD1-FCA2-6138-2ACE-00000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535197Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.092{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8B47E500AFA1433FF8A1FB692F958C,SHA256=B5FFCCE1B8777D0921D6422AA42AA0C9D708A2735B9E2F504D838282A61512E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:42.795{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:42.795{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3FD2823381D07AACAD356F51CDBCFA7,SHA256=809EDEE08EA868F28553EB47065B2D8743BF6E9644C9C63C5505582F8D733E75falsetrue 11241100x80000000000000005427454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:42.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:42.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF32707E23DE6160E26AEE4039B1D9A,SHA256=4DC0C7373E8473BC85D10F521B65D249E9E18D5752436A0A41B8B6C3955E1136falsetrue 11241100x80000000000000005427458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:43.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:43.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F31D84422412DCA706AB06FF30B2CC,SHA256=2F554D0E625F0D83A30BF9F9D4F57768AF75F93BE02B679E6A184979D94DC1FBfalsetrue 23542300x80000000000000001535208Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:43.827{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F622F9C9AA817DAF82BDAEEFF8BF019,SHA256=55EE91BCC4659C4831DD9743A644C39C5249605B21344485E001C3CA5D46DAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535207Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:43.827{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35E989A234B7696FBDFA67716421AF36,SHA256=CF19E1E9E50A83EF61AA61847EA1A1A0C9179272C7709C1A160F20F1B3DED5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535206Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:43.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4191EB15F652BA24EF3B37D4971FCFE4,SHA256=F5749F5C0F2834AEDFD9F15611A92276314B762AD552F9B0F87C28522838C833,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:44.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:44.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E8B618B940C6D9ECE8E55F9FE0C3619E,SHA256=2B3DDADF10F4D35068F7D38633147ECC2750D529DBFE4522978E4CE530DF19C3falsetrue 11241100x80000000000000005427462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:44.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:44.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9D2CE7DCE3931416E2ADF9A14F2620C8,SHA256=D0EA9F3C2CB1949C0DF86B46FECD0E3CE20FB894AE53E509710120450B38021Ffalsetrue 11241100x80000000000000005427460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:44.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:44.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFB1898C0B2F91D9881B2ECBC081BC9,SHA256=E7FA22967888079F95A8066A8EF271661CE6A46B869FEFFDFB1D8DFD948D0D05falsetrue 354300x80000000000000001535210Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:37.716{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60608-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535209Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:44.128{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45347BDD3AFC3B7BD3A49644AD98456,SHA256=3ACE30D6C3D49B3307B0F92F501336EF1D5107D72F49238950EC9056A2381C72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:31.716{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63362-false10.0.1.12-8000- 11241100x80000000000000005427470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:45.795{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:45.795{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B49EC3DB8F10CD9D806E9BF0B2C975,SHA256=BD071D186C2D431EAC23D5B4CFA322A451DD858B5BEE685E29701A37FE05ADAFfalsetrue 23542300x80000000000000001535211Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:45.169{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CD73D050DD8429B8C981A99EBC15F4,SHA256=303E5934380E9F0A19C9A327E0D5509B4EE3578FCAF4867644A983E87E345B08,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:45.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:45.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0E344CC31600B0CF4FB61E9FF433F374,SHA256=9D6FA3C53CA836879A74FA2A23D147B7FF2F66EF9F6588AC222561CDDABCDFB9falsetrue 11241100x80000000000000005427466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:45.076{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:45.076{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBCF9F2816DC19117B0451B064DFCDD1,SHA256=A97258ED0E2AD876307079CF902EF32678C99F0E787858625F9DE402B4984661falsetrue 11241100x80000000000000005427473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:46.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:46.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484BD747C55F0D91C1D374B2EA7237EC,SHA256=460C67DFC7DC01F1DE0025A984D93FAA0B0AF08A14C577F949E5F53D9406A297falsetrue 23542300x80000000000000001535212Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:46.172{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C6B7E3504AB2D75885E6952C98A9CD,SHA256=4C15A3B54E91DFC8F7D03D742551423CFEFC34DAEBA466F8187DDD5C6D5252A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:47.824{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:47.824{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EDD5AF3409B3A06FDCA37B2BC8849C7,SHA256=740CCD3B93C31BC03FAD7AEACD387C78B10A1EEB1739A7E214B1F2C2927F0B9Efalsetrue 23542300x80000000000000001535213Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:47.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC84378DD32DD05D4A10A558FEAB8A1A,SHA256=0A6672A29620FAC6384E0C31A60E166F7648BCA8BF47F1736B81FB3F6A204813,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:47.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:47.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0783B409D995EFA77642ED010D2D003,SHA256=BFC19E92ED4D870DA25B1872F7D5D982CFC45E433D643FE5379AD6550F5AF8D5falsetrue 11241100x80000000000000005427475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:47.605{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005427474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:47.605{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005427481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:48.840{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:48.840{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DCE09EE182BC9FFB1FE7A801FD98D5,SHA256=4C01F6365BA59CEB7B0496106E31762263A2189140137692D69EFE56F0AAF1B6falsetrue 23542300x80000000000000001535214Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:48.193{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741D88BB89657EF3217DF5EC524B8BB7,SHA256=F5001F6EAADFA45B42FA2864AAF8979462CBB30F5E9C7DFD08CFEFF3574DFE0A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:49.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:49.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244EBF9BC70FBE5239CCE44DEF4BDD97,SHA256=8CA14AA10DC7A3FD280271BD995FFBBB67605EF77F77093AE103A3671221BAEBfalsetrue 354300x80000000000000001535218Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:42.784{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60609-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535217Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:49.196{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F6B36DB79CCAB0EDF2662B31905771,SHA256=47F60EB8004AB5C350AC04E07B20254BD649AFA11E64C1ECDFACF09197D7452E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:49.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:49.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E74315CAB81F1672711FD8A4817F2AFD,SHA256=ABCC69054234D7462957A19BEC01B5B70B852E012F926E1291A358C1EE1AF357falsetrue 11241100x80000000000000005427484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:49.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:49.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3D2DDE0F81592DE50C793B6A285A0F61,SHA256=7DE3F4873EA2F4C725C96602990DAAE989828689555F3D026AB954C68BA2EE1Efalsetrue 354300x80000000000000005427482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:35.244{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63363-false10.0.1.12-8089- 23542300x80000000000000001535216Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:49.127{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D34CB38CB762CCB5A1B1A37B4030E6,SHA256=B7BF9E9AB1443F8A52CDD3C4DD3D54EBEC778945FACC449874778815762E71AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535215Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:49.127{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F622F9C9AA817DAF82BDAEEFF8BF019,SHA256=55EE91BCC4659C4831DD9743A644C39C5249605B21344485E001C3CA5D46DAB9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:50.871{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:50.871{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD041394300A0AF3947D4A8F40D6EDD,SHA256=E381C26A8D285C6B1AAE9DA2AF86439BD52F4383E4233B83C03F3F0376AE0D88falsetrue 23542300x80000000000000001535219Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:50.199{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C5CB30BE9E1BE43FB4DAE2E2FD1FBA,SHA256=B5DCDFAEBA998401636328EC058825489F58D911141FFCF67AAB5AC68EAAF23E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:50.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:50.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=266590359FDC30DB4C4B3CEE89032967,SHA256=84565F41E3A0500EFAE803720BA91426085C4980CDA5FC3B4CB4F64310C03187falsetrue 11241100x80000000000000005427490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:50.121{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:50.121{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6C784EF618842E8BF9BE13A118B66E06,SHA256=615C88377D3FBE24ECABBE089B419B56458A5716516C64D94EE0BDAD8E22D436falsetrue 11241100x80000000000000005427497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:51.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:51.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7302D0CB19E870756694194E30B2B69D,SHA256=3555BF29676ADA273C96358F2512E3DC3D1C94B55A87B3135B131F4F3236B7D0falsetrue 23542300x80000000000000001535220Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:51.202{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3381F0B4FD43B8F4B081C96A6754D3C,SHA256=B1D80A564719695674F198E5D64030092C21BCBD0E0F32D59E65F5C4C7B29729,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:36.885{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63364-false10.0.1.12-8000- 11241100x80000000000000005427499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:52.902{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:52.902{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3360303022A08CA2A09D3DA28C56D653,SHA256=C27F8144E46674D469C5AB5C16C465876770AC5ACB4938E4453C91C47A5813F2falsetrue 23542300x80000000000000001535221Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:52.204{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09928E6743CE3107177DB8CDEF238AB,SHA256=6B79E992BFC161565130AC2826FC91BBC3DE1F20888582C85D7DE2752D9FF394,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:53.918{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:53.918{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72560914523CAD26F7FE355C2D34966A,SHA256=FF61252D2FB630D3B8D99CA4789F08DFEB2C31EAD4D03CFA73985262F75966F2falsetrue 23542300x80000000000000001535222Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:53.238{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610979250B8044DB9BD4C5C457DDAF6E,SHA256=2C9B3EF3A1C8AC9C99C6FCFA740A3516B603C65B742D43466B5E0FEE08789FB4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:54.933{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:54.933{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B80C0A6AA7A52942C3289406B2099C,SHA256=0F16EB6ADE56710F8303CC115EF02E580346661300B80858B7A3797002B00F2Ffalsetrue 23542300x80000000000000001535223Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:54.273{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496C422B14883E1374A27F7324487311,SHA256=25F96AC350FA90C03B96C38FB47D01741545C5D33B82C36907D08C5CAE691CC0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:54.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:54.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=72EA7B7E70971DEDDD6CBDD911974566,SHA256=A879B22622A8647181199B9FEE9DA5A56EB14F50F45D470E4027E3741868B6E3falsetrue 11241100x80000000000000005427503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:54.324{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:54.324{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F309C55CC951E366F835F43B35D3B711,SHA256=480E7C9DABD37C3EF78871D9E20E2860E4DD3F0CAA33C5F4BBDC876017CCF99Efalsetrue 11241100x80000000000000005427515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.949{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.949{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36046C31F2D6EE7710F1A4200D4312C,SHA256=D937DB08864AAD24717068250860B28ED481057D7856BF396CE468C45BFCE3B2falsetrue 23542300x80000000000000001535226Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:55.292{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B96D1BDCBDF4A0B4D2948A279B80AAB,SHA256=D3A01FEB52201FC727A17A83F24F87592E9651C3447C0E0AA0A9C9DA46FE322A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF13F3D55493723C6AFCCD5EA7C7E87D,SHA256=A01A729D130A6209C15B9729F7F96482EC29B90ECB609E3537C3626CA0C1247Ffalsetrue 11241100x80000000000000005427511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D06DB7C3DABD442FA3B5F3460F7AD696,SHA256=031B7551939EA2CB14D2927084E1209408736C357E9CD5F03A15750AC3CBCAB1falsetrue 11241100x80000000000000005427509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:55.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D4B18123970C0E5750B0B1A8D4B5B804,SHA256=2D81785EA8A83ECFA208B908039E4E8CC471211DE39963773CD53B004092FA82falsetrue 23542300x80000000000000001535225Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:55.058{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E970E9A8FFB76A73F5B5C7A4DC9DF4DC,SHA256=70C216CE62D13EE9C6D445119A7310A3B50AED436BFA74849091B3805FD2BAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535224Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:55.058{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D34CB38CB762CCB5A1B1A37B4030E6,SHA256=B7BF9E9AB1443F8A52CDD3C4DD3D54EBEC778945FACC449874778815762E71AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:56.965{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:56.965{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F180659A955A92FD02DEB4FA3629C27C,SHA256=63B21222F474468034B9D507BA19684A00EDEA403A376A94E517BFCFC796AC38falsetrue 23542300x80000000000000001535228Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:56.295{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C54008AD439B867E53A1373898E8D87,SHA256=B2C6CEF1C1028F0A62A7BE0B5736371F8193E52F1382A0528EC3AF0CFEBC72E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:41.900{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63365-false10.0.1.12-8000- 354300x80000000000000001535227Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:48.701{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60610-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005427520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:57.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:57.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AD1206809DED81E15B6AEE3DCCE92E,SHA256=210358783ED8FA5A5E7C63A5F756A90AA6A6205AE52A50C64E8D3DD12334BE78falsetrue 23542300x80000000000000001535229Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:57.302{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5F84F53C9323C8C058F8F27E834826,SHA256=EF3CDC8CB1C44EB21E084B871AE6C90E518C842733BC08E4D6380150FFEBE962,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:58.996{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:58.996{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F0E9CADFF47BCAAD88590A79C183CE,SHA256=1E56907BE6BA551D3C0F85A5839DE603E4221F3D786D743E3A0E0F412363F2C5falsetrue 23542300x80000000000000001535230Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:58.321{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0206CD368379720A27277F9FFB725621,SHA256=9D2A33860CB63A140CC6CB503219473B38D3A966D2EC60906A927DD5816D2861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535231Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:59.324{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1054069BF2A17465DCDD3DD3437150,SHA256=0118E894A45D3412DEC1B9A139D52F7AF55CF9B65FA5BD6BA436782D4F6073B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:59.543{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:59.543{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E244369B455FCFF933A3A96F760A1735,SHA256=A9C535F7EA7CCCF178947509299CFC14C439A01A426F5796C2436FBFF1A57B60falsetrue 11241100x80000000000000005427524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:59.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:59.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A8C509B89503288FBB18839E165BF043,SHA256=02B1205C2DB159F5E0A08D5220ED9C151B8BF37B3FBD3FE71BB6AE1C7E8A405Afalsetrue 23542300x80000000000000001535232Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:00.327{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF7552FB8CB0A33F67DA4623AD857C3,SHA256=ABA5BD4E318CB2A477B63755E52F4B16760914C0B7ABCF58D45CB7A2DC5BD14D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:00.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:00.230{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5C8A9BA8B7736608960ABB3F230F3AFC,SHA256=37FD4545A9728F34F181412A2E38A49B3D68477FE91D8D3ABA1777E02A5D1724falsetrue 11241100x80000000000000005427528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:00.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:00.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42033A3A9D4460D44DA3C4D488B08AE3,SHA256=21AE16B0290062C1356E6123AB2001D403753869EBDA08F9C72B6A5AD9D8F421falsetrue 23542300x80000000000000001535235Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:01.360{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A901C3789EFBC157545EC33DCB1E4845,SHA256=9838DA7ED6B27B160105F91B4F86276F8A13658802EDF40CDB9A0E14FBA75A8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:47.900{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63366-false10.0.1.12-8000- 11241100x80000000000000005427536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:01.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:01.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE82C92AABAAE45E5A649F56D6381299,SHA256=E087A9E92475B8B5D4F9F3190CCF5C2AAE4B5AAC53475A1DECE7116A74A75B82falsetrue 11241100x80000000000000005427534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:01.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:01.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF13F3D55493723C6AFCCD5EA7C7E87D,SHA256=A01A729D130A6209C15B9729F7F96482EC29B90ECB609E3537C3626CA0C1247Ffalsetrue 11241100x80000000000000005427532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:01.027{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:01.027{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03E6C2BB4A9DCA8DB0A578A90B7A9AB,SHA256=11B635C934BD5761B44785A6D7D70027A6202AF3C9FA80FE24E0359AB3F29805falsetrue 23542300x80000000000000001535234Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:01.090{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D54D3CA36092C38F98A264BBB24269B8,SHA256=938B3640CF36C5CA9495F6308E8EB97A1FF5329CA1C79E5AD860E07D6F6CCFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535233Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:01.090{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E970E9A8FFB76A73F5B5C7A4DC9DF4DC,SHA256=70C216CE62D13EE9C6D445119A7310A3B50AED436BFA74849091B3805FD2BAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535237Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:02.378{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0AEF7049FF9DAAF4F194AD41BE3297,SHA256=F5F457107FAA2A87A0109F1AC09C9914396E137EF16D7812004F6CCD211FC985,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:02.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:02.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE82C92AABAAE45E5A649F56D6381299,SHA256=E087A9E92475B8B5D4F9F3190CCF5C2AAE4B5AAC53475A1DECE7116A74A75B82falsetrue 11241100x80000000000000005427539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:02.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:02.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47462B1BEA7363C53BC974CBA2A22B8,SHA256=37DA2321103E523DD529659E23E302F69BB097B172B28633D68573A76524CEBCfalsetrue 354300x80000000000000001535236Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:10:54.717{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60611-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535238Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:03.396{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A387C108D1BE69DCBA0FE1E10FAE737D,SHA256=58720F348912F90BA7E64FDA0AC149CB108A9B997F768506426F8BE20B0E1410,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:03.058{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:03.058{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC847EE03D1C50CC93A0C359EF5FFB9,SHA256=F9B9CC18ECECE5C1189773D7463C986DD9DBEE8C9E50CC81E774FF864912B305falsetrue 23542300x80000000000000001535239Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:04.399{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2069F9ACC7B8B0AB66B1071E82E8A2,SHA256=9A968F7C8B4922FDE424C31E8C998FA8184C1131C026BC9DC5DD2C48EB14B26A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:04.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:04.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BF3E5CE2D1F31D61A9B83A14EC1ECBB7,SHA256=CF0C442DF9A06B888C7D37731C5243C2EF7768A1C0CCD3B4CC26612C9473806Dfalsetrue 11241100x80000000000000005427547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:04.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:04.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=10AC9F3DA57F06186668EDDAD4AC3409,SHA256=CBF8221B914FA7224BE0711054C292106F7E4E7C12D9D0C07D1F0830C6400998falsetrue 11241100x80000000000000005427545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:04.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:04.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBA066CEBC413003CBCA4DEA7C3CBB5,SHA256=C48F440A573A0129A4D9538A558A7C550D9834E153BCA4BF725FC75221D8C71Dfalsetrue 23542300x80000000000000001535241Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:05.770{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D3644844FB9AA4EAE41FF77EE2F0E565,SHA256=8B322609DFAB1A0409F0C9E1D65BAEE58387B5E5A20EF3A91EC3073E7E44915E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535240Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:05.401{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D55514F27757FCA4C7F12D8AFADF1A7,SHA256=D879AFF66EEDB2C2837B59C3D0A77C423F85F43792C3F184C3B667CD823F31AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:05.293{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:05.293{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4BD621A1264087BD22A8E0CA06E0393D,SHA256=541DEDFBA4CED1BB12EA677FD4EE216CDB377330430548BD607CCD83A95CB665falsetrue 11241100x80000000000000005427551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:05.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:05.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941B1E9318B4F972B824BE9F39B61226,SHA256=194CF23ED93250864B25C88A928DCBC4BC4BDA1ADDA404D1AD91FE1D6D9A6F4Ffalsetrue 23542300x80000000000000001535242Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:06.421{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC79EFEB94B364E6491717925301F328,SHA256=7AF70BA987CCD0FFBA37DBD2B8A3081D594A7F016F703E7F17F3B34827CF6F92,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:06.105{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:06.105{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB37F37844F99A79B8EAA9160C51657B,SHA256=27DB004519392429205DB66B1E9E84FA756FFCB714A1E05CDA701360516BB9B9falsetrue 354300x80000000000000001535246Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:00.715{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60612-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535245Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:07.444{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F9EA697AFE705CBC993C9C67322848,SHA256=F872A9F0907512B8BBA6BAC5F7666BCD2DEB1D5445DF7C0135E86070DB0B3E2D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:07.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:07.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A378760C383ADDD6E97D9759D254CD4F,SHA256=BE22E362DB736A925C7FE8A07BA3C59868FE8911081E8DA683BA2C38D9BA6857falsetrue 11241100x80000000000000005427557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:07.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:07.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1A1B5E501BEF3F2B481B0AEF9728D9,SHA256=C988CEE21D8C52E14B9B9071F3399BF184D0799272EB475DA6C81C7C0B6C3C74falsetrue 23542300x80000000000000001535244Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:07.274{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4758DCF6D6AE69E981052B0A00FB5CF7,SHA256=17597BAAA1AF34C76F11E5D8DD4C360791713B88CD7094DBEA31155043FE7DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535243Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:07.274{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D54D3CA36092C38F98A264BBB24269B8,SHA256=938B3640CF36C5CA9495F6308E8EB97A1FF5329CA1C79E5AD860E07D6F6CCFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535247Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:08.446{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6752CE527E829D1F4F576BF8B661A5C,SHA256=D986392A7AE77D5F4BA39CE92F4FFD0164554FC78ABF7A5513DFEC834BBE6811,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:53.744{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63367-false10.0.1.12-8000- 11241100x80000000000000005427561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:08.125{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:08.125{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16B3F76E9EB7817EB15347B1DEB69B0,SHA256=93CEA9347D0B6574F52DCF1E486592BB4C0F87D50F3E73889BCE285CF84D95B3falsetrue 23542300x80000000000000001535248Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:09.449{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED98AFC8636223700FBC5E2475F21023,SHA256=ECA6CCC971F16B323DAA39948B32DA366B9CBB6E893ECF68426837E4B2D907D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:09.625{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:09.625{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4760C0B8F5512665CFB632CD3E14370F,SHA256=C2C579459A03E41D5F4CEADA2E2A33798E8CC13BCAA6CA3E2A2C29E39DD5ACD4falsetrue 11241100x80000000000000005427566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:09.390{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:09.390{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=869A589577149ABA24D97E222F7AE9EA,SHA256=BC0B2A40FE65CC8811841FF4EBFAC44BC24E99CB56BC2C0609080E439BC8DC61falsetrue 11241100x80000000000000005427564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:09.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:09.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E0C5D86FDD9CDC0E44D69EEC6CB45D,SHA256=08FF7C6F3C791D0D9F60A911F2A9E5BBD47AEC90F67E0C731146234E027E0021falsetrue 23542300x80000000000000001535249Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:10.452{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A191D63DD4F39BC1C86C1BAD3076127,SHA256=20587A745D75F6F4112518A74471AE3395460E77F523AF864DAB3914260BBB4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005427577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:10.537{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7178MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005427576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:10.535{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71782021-09-08 18:11:10.535 11241100x80000000000000005427575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:10.535{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71792021-09-08 18:11:10.534 11241100x80000000000000005427574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:10.313{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:10.313{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E58E3D851775A1DFDDA0A8B5E88E9614,SHA256=0724209598A9BC95EED478FFFD34865C14FC66DACFD6DB5E1508F72969D5FAABfalsetrue 12241200x80000000000000005427572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:11:10.188{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005427571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:11:10.188{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005427570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:10.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:10.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA60CD478F4ED67E9A9CFF51204E149,SHA256=2DE22E5F5B08DFA28980098AC41A1850001FC5A0A10374BAFF549DF31622229Dfalsetrue 23542300x80000000000000001535250Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:11.455{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240EC0D925791DACAE0AC11E00D87538,SHA256=BEF908E0932F60043225F6EC6622326A761BC286DCB5D23A513D7F4C98D1800D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:57.843{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63368-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005427583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:57.843{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63368-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 23542300x80000000000000005427582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:11.535{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7179MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000005427581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:11.206{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:11.206{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B744C025BB64E69E2A303D9DE01D3E1A,SHA256=383647FE2D6E8A86BCD6D506FFF4B58788D387256BAF37ADBB5DAC8518955EAEfalsetrue 11241100x80000000000000005427579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:11.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:11.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCD011510AA3FC053558382B053A14E,SHA256=5B43A867E94DE9FD709E1F2E62891E58218C16A812E61D589CF067EC64262462falsetrue 23542300x80000000000000001535254Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:12.973{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535253Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:12.456{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917DFA08230143EFC142863B5A8070A9,SHA256=B21C5E79942264C7471A9CCD6486127B241848998CAC898D2E6ACF76C50A14BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:10:58.751{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63369-false10.0.1.12-8000- 11241100x80000000000000005427586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:12.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:12.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DEDE1D22A9BA7D05150264493326DF7,SHA256=652221C7B97F9F5A541A3FDE39942D05A979B7A47C5337C03BB6F4354F2FEC45falsetrue 23542300x80000000000000001535252Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:12.419{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA83184475383CBC20C7D4C2F18E817C,SHA256=9D9C654C895E212A6DAD121A27F545589044B6F8079C01B4F21DD47A5F16FA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535251Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:12.419{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4758DCF6D6AE69E981052B0A00FB5CF7,SHA256=17597BAAA1AF34C76F11E5D8DD4C360791713B88CD7094DBEA31155043FE7DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535256Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:13.458{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687B71D9622DA6A2915F84121AAA0C18,SHA256=78AB6F3CD4BD397609E1A363A3FB26B3A7396D71F0AB21EA71E0F3A51FFED9F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:13.160{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:13.160{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D62D6CA184CF783BAD75B55ADD106EBC,SHA256=FDA220AB7ACA7101A287011EFC2DCA76478059421C6C8154FC927EB315D25AE8falsetrue 354300x80000000000000001535255Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:05.845{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60613-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000001535259Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:07.633{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60614-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001535258Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:14.460{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BDCAD927DE1E7BCDDD713A33FA9DF9,SHA256=E19E92F2A588696E94E064691DEA8381632C9A35569F4F732D544707391961D6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:14.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:14.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=71E27C6BA8F8E0CB46E2947E4EF6C638,SHA256=0004B2E4735DB27F1723BE75A28A05B36705D0519A554E25CDE34C365D3FE60Bfalsetrue 11241100x80000000000000005427593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:14.441{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:14.441{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5BAA0B7AB145B170C142BBF94D24172A,SHA256=B78978DEAE6EDCA10592D2A638D6FED38FF9B1B5CE81DA00685B591B3D43E71Cfalsetrue 11241100x80000000000000005427591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:14.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:14.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DB289D90DE7A4A26D964ED14D00EED,SHA256=A1271528609317B6974A9071421C8092285D3DDCEDD87C90D8EC486C52304745falsetrue 23542300x80000000000000001535257Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:14.006{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA83184475383CBC20C7D4C2F18E817C,SHA256=9D9C654C895E212A6DAD121A27F545589044B6F8079C01B4F21DD47A5F16FA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535260Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:15.462{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7360984686F92031DCCF5ECD95BC7DAD,SHA256=F82FC8D43AFB13DFB525740F9ECC25C069679A57C147072D52D8FD097C5EC29C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:15.379{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:15.379{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B11E6B1CC8FDA61F1C0A0F516F787229,SHA256=B3BD86B25A3E8D13FC28DC89F778E5480A98650043BD40DA93DA356C48F11E2Dfalsetrue 11241100x80000000000000005427597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:15.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:15.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D806C7917F7C2A346167B59B861E58FE,SHA256=66AE8EA019EC89D1976216FCC637B97BB8AD5434FBB3F932CFA7368C2D31787Ffalsetrue 11241100x80000000000000005427601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:16.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:16.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A83888C3A3DED8669981AD1607324D6,SHA256=313D5287AF50C188B394BEE29B3B416EAE4496A0820A2ACF3F59CE859D127A29falsetrue 10341000x80000000000000001535269Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.980{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCC4-6138-2BCE-00000000F101}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535268Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.980{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535267Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.980{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535266Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.980{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535265Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.980{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535264Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.980{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FCC4-6138-2BCE-00000000F101}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535263Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.980{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCC4-6138-2BCE-00000000F101}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535262Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.965{AEE49BD1-FCC4-6138-2BCE-00000000F101}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535261Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:16.464{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A11C917B2E469B6328EB1CBB2373DE,SHA256=56B860441A60F6868359B78A137256EA3F14C795D81A959F50FB1DB61A641ABF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535280Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.650{AEE49BD1-FCC5-6138-2CCE-00000000F101}36362184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535279Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.528{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCC5-6138-2CCE-00000000F101}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535278Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.528{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535277Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.528{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535276Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.528{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535275Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.528{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535274Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.528{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FCC5-6138-2CCE-00000000F101}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535273Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.528{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCC5-6138-2CCE-00000000F101}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535272Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.514{AEE49BD1-FCC5-6138-2CCE-00000000F101}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535271Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.466{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292121452FCDC4D62602366F6E4311F3,SHA256=F5C5CDB8D2C48A32EDA4643A335B790598D9793353E05D682BC122F58C74D720,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005427608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:03.814{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63370-false10.0.1.12-8000- 11241100x80000000000000005427607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:17.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:17.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77213692A828FDEA8A064FEBBB8565C4,SHA256=81C5134C8C56C1C7FF06C749BADFDBABA8F049D9286F79C6CF6E63FFE679A5B1falsetrue 11241100x80000000000000005427605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:17.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:17.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD41376C458ACF25DAD8C0C898EB7C5E,SHA256=23A889ACE7CB05B26C538CB2D48B4A02921CA5C703BF26AAD200489F88924779falsetrue 11241100x80000000000000005427603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:17.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:17.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F4B50EA9EB698927E558237B6B010A2,SHA256=0D6C6FDEE3386546A8DF2173DFB4B4B6D1856C86886ED35257D3560353C0478Bfalsetrue 23542300x80000000000000001535270Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:17.212{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDBCE45C22440AD034362369927E4D8E,SHA256=DFFD3DE1AEED01EDF661156508A17ED206D2004DF7A4D90E1D73345C04100687,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001535292Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.968{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\SiteSecurityServiceState.txt2021-09-08 15:38:17.364 23542300x80000000000000001535291Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.968{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\SiteSecurityServiceState.txtMD5=40D52B59E4557F69A927469F184BFD82,SHA256=186C626B803DF1D6EF41092F99ACECD0ED58C973FD04CC0D6003D6A38E194F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535290Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.514{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2447F3ED03E003960F69DF0DF7BEEA70,SHA256=5584E752D83F11E77BC90F4301CAD1B916958A0C1F5D34BABA53D15637636608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535289Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.467{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB89AB62000A5EC9959657E0C10942D,SHA256=656620C4D85DFEE543040EDA619CA3C3C5EBB957E689F3D25C254370FE1DDF36,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:18.238{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:18.238{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A08D5A80B486EA93D02BA3AA524D236,SHA256=B2F5458D85A5D9A317E26A203F3D35FEEB44C294309D9473C4DDCE8CFEA7B0E5falsetrue 10341000x80000000000000001535288Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.214{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCC6-6138-2DCE-00000000F101}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535287Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.214{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535286Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.214{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535285Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.214{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535284Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.214{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535283Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.214{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FCC6-6138-2DCE-00000000F101}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535282Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.214{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCC6-6138-2DCE-00000000F101}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535281Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:18.199{AEE49BD1-FCC6-6138-2DCE-00000000F101}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535294Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:19.469{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FC1C35D1087794A63661A79FA7FA79,SHA256=423E05EC9704A5A8228381178CC402145283A3BC099A63C6218FDA1BC0566289,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:19.629{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:19.629{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3F40307C08BA8D77A01A5F04C9820490,SHA256=AA5CE01A29C43BFA0F08521D430052980234D4CAA236ED1AC7097274682941BFfalsetrue 11241100x80000000000000005427614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:19.488{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:19.488{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2F77C077197AE8CB42EA1623FC7B5CDD,SHA256=28FDA128E5005953D3E42F98D8E2FEAD9958D32E17B1B66C62B8493841CF9835falsetrue 11241100x80000000000000005427612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:19.254{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:19.254{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBDE64D165FA901561DE1E65F44C7B2,SHA256=2010C71A3F94A689ED363385CAC566D0DA2A29EB19CF3E03F2F6550844616F46falsetrue 354300x80000000000000001535293Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:10.857{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60615-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535295Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:20.471{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C343541FA27BBEC37DFE0B5212FBF542,SHA256=417862B8B56514A9D3422F32D5D8E0733B304AD8F395563F6501D3E523C67F0D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:20.441{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:20.441{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=311F51859EB4BC269E76FB7534335CB0,SHA256=481DD56576EB8ECDBBD5F5B4197E8489E6DAA46799A565E5911AF5E17686458Cfalsetrue 11241100x80000000000000005427618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:20.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:20.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A408E1FD29F44D5F2D3021561B86B5,SHA256=DFCF35B8137E5E6CDC1FE5EDEEE112B2EE8725B7DBD6063C898506D68CC8F406falsetrue 734700x80000000000000005427734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.957{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.957{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.957{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.957{4DF467A6-FCC9-6138-1FD4-00000000F001}332\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005427730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005427728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005427723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005427701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005427698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005427697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005427696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005427695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005427692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.941{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005427687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.926{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.926{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.926{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.926{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:21.926{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.926{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:21.926{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.926{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:21.926{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005427678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.394{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 11241100x80000000000000005427677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A372E177FB0BE55043486C14FD7D7958,SHA256=F1B0036D22D3C4D46466511D5824AB65674BD47530A72C3B0AD66A0E0DC151B5falsetrue 734700x80000000000000005427675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.394{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.394{4DF467A6-FCC9-6138-1ED4-00000000F001}32247892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.394{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.394{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001535306Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:21.474{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3875DCE610CD045EF543688500F8AEE2,SHA256=ADCFCCBC124A6A339175196DFCD92142512B402433E901E9DA327A1348B60D20,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001535305Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001535304Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1a4c3c35) 13241300x80000000000000001535303Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4d4-0x8b6e6008) 13241300x80000000000000001535302Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4dc-0xed32c808) 13241300x80000000000000001535301Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4e5-0x4ef73008) 13241300x80000000000000001535300Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001535299Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1a4c3c35) 13241300x80000000000000001535298Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4d4-0x8b6e6008) 13241300x80000000000000001535297Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4dc-0xed32c808) 13241300x80000000000000001535296Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 18:11:21.404{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4e5-0x4ef73008) 734700x80000000000000005427671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.269{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.254{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.254{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.254{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.254{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.254{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005427629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.254{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.254{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:21.239{4DF467A6-FCC9-6138-1ED4-00000000F001}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.238{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:21.238{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.238{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:21.238{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:21.238{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:21.238{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005427800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.676{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.676{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.676{4DF467A6-FCCA-6138-20D4-00000000F001}32367248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.676{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.676{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005427789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.566{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005427753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.551{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.540{4DF467A6-FCCA-6138-20D4-00000000F001}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:22.535{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:22.535{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:22.535{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:22.535{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:22.535{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:22.535{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005427744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DA6C0FB982F63FADF8DBB776AFF7B1,SHA256=579D48C7BDDD42EA8E1BE8051DA54F1FCBB9AFD0F0AF7E52059DC1B6FF534EC3falsetrue 23542300x80000000000000001535342Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.523{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7C96DC174ECD91C2D018767F4C5AE1,SHA256=066818CC2E14CA5AC6ADE9BBC40C96FBF1BCC6A7FD7F8C8E9A9E70032FF23E2C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005427742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=865C4B93A6B43FEFD6B6DA9C46CA9E72,SHA256=947218A2182A90715A264713CCFE2760C8DDE4C60BCFDA9318E43F7668BFA183falsetrue 11241100x80000000000000005427740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD41376C458ACF25DAD8C0C898EB7C5E,SHA256=23A889ACE7CB05B26C538CB2D48B4A02921CA5C703BF26AAD200489F88924779falsetrue 534500x80000000000000005427738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.066{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005427737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.066{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.066{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:22.066{4DF467A6-FCC9-6138-1FD4-00000000F001}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001535341Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.207{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64816E0468E38838793EB5AD288D6FFC,SHA256=26FCBA5EEB6EF8BF3FECA9E6D841D00836BF901EDA693565FE12B473C9F92492,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535340Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.156{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535339Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.156{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535338Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535337Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535336Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535335Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535334Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535333Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535332Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535331Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535330Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535329Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535328Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535327Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535326Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535325Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535324Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535323Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535322Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535321Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535320Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.155{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535319Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535318Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535317Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535316Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535315Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1F00-00000000F101}1968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535314Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1F00-00000000F101}1968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535313Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535312Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535311Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535310Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.154{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535309Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.153{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535308Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.153{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535307Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:22.153{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.941{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 354300x80000000000000005427914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:09.861{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63371-false10.0.1.12-8000- 734700x80000000000000005427913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005427877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005427871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.926{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.910{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.911{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.910{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:23.910{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.910{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:23.910{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.910{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:23.910{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005427862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.691{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.691{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0ABE1323901D983B5B56F68A1568E3,SHA256=1EEC6F6C13FC8572B46738E2BF21F0363B5C98CB753A2F1957230D4F9E98BC2Dfalsetrue 11241100x80000000000000005427860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A896A057ACC04507597E0F0DAB41B3E,SHA256=C1EB8670BB922A6F8E7CD114F57C1742E7A6554FE8F70F8426F7E2010C542572falsetrue 11241100x80000000000000005427858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=865C4B93A6B43FEFD6B6DA9C46CA9E72,SHA256=947218A2182A90715A264713CCFE2760C8DDE4C60BCFDA9318E43F7668BFA183falsetrue 23542300x80000000000000001535344Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:23.526{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EEBA32FD166BE8C3C2DA459A548ABD,SHA256=339694CDA20CBD4063011DF8344CBB23A72CFF46B385149C8437B94060089261,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005427856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.363{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005427855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.363{4DF467A6-FCCB-6138-21D4-00000000F001}13566620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.363{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.363{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005427852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.254{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.254{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.254{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.254{4DF467A6-FCCB-6138-21D4-00000000F001}1356\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005427848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.254{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005427846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005427826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005427814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005427809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.238{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.223{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:23.223{4DF467A6-FCCB-6138-21D4-00000000F001}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.223{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:23.223{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.223{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:23.223{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:23.223{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:23.223{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000001535343Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:15.863{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60616-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005427984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005427983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=984AF3E9D69FD419F1DD130B084EB0AF,SHA256=FF23D6A8E4E2C9B6AA78CB65DF65DE729451C0F13D145753C8DFC642B3BA5675falsetrue 11241100x80000000000000005427982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D50E19BA6DE9F976EEB8C71F5087BA,SHA256=E6D6BAF760B1B15BE70DB5184D8F3E76C279E23D494A4ED1B2F7F695FDAA13E5falsetrue 11241100x80000000000000005427980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.910{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.910{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B446B8E538B44999A15D083A760D0D55,SHA256=12F9A3EEE57608D372E2E033E8CD99C68AEB248FF27AAF98FAE9BD143928EEE1falsetrue 11241100x80000000000000005427978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.894{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005427977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.894{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF78004996804ED6A4174D3D2B1753E1,SHA256=5A49B30AA769E4B8B1F08A811A2F068517FC9CD70F275EF033EB36126016F30Cfalsetrue 534500x80000000000000005427976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.738{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.738{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005427974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.738{4DF467A6-FCCC-6138-23D4-00000000F001}77122128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.738{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.738{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001535345Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:24.545{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618568FFC9BE975989DC248DF2C1B903,SHA256=F4B7AEF6BCB77C016170FEFFDABA96ED89397EC72454CF9D94A900C4E28114F3,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005427971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.629{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005427970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005427969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005427968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005427966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005427965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005427964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005427963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005427962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005427961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005427960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005427959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005427958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005427957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005427956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005427955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005427954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005427953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005427952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005427951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005427950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005427949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005427948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005427947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005427946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005427945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005427944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005427943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005427942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005427941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005427940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005427939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005427938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005427937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005427936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005427935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005427934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005427933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005427928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.613{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.598{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.598{4DF467A6-FCCC-6138-23D4-00000000F001}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:24.598{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:24.598{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:24.598{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:24.598{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:24.598{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:24.598{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005427919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.051{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005427918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.051{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005427917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.051{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005427916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:24.051{4DF467A6-FCCB-6138-22D4-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001535346Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:25.566{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168BE5F2259122691A4B5C9F9D5037CE,SHA256=CA5D3EBA0A0429C3CE7CC59FB4C6BDCF1980214A72BF59074187A8F0BE5E8414,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.488{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.488{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B603DEC874B9C81AB3A87DE3C8D65CE2,SHA256=2C016ECE8D3FDBBB1277FFBB6FACC271B46019F5798775DE8B0058A40BBF1EE3falsetrue 534500x80000000000000005428042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.426{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005428041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.426{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005428040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.426{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.426{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005428038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.316{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.316{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005428034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005428032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005428022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005428008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005428004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005428000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005427999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005427998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005427997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005427996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005427995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.301{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005427994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.285{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005427993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.286{4DF467A6-FCCD-6138-24D4-00000000F001}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005427992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:25.285{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:25.285{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:25.285{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:25.285{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005427988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:11:25.285{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005427987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:11:25.285{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005427986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005427985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:25.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B6AEAF7992B331E6B0FF01A59D58BD99,SHA256=C822CF70442346D6CB01C339145BE3FB48C5780E54065B38F287D2E02895A4ECfalsetrue 23542300x80000000000000001535347Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:26.569{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7242BC4596E0ABD814B7A0F8C048C76C,SHA256=3C00B00B49E05C084E5550ED5A6961DB66D28D04DDD592D19887BA42AD234C0C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:26.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:26.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=633D8A22484EF279018AD103B5B50AC3,SHA256=053C303CA537A0D47EC9720E4FF0CF4DA48F5B8CFA8E77CBE0C9EF2762BCA041falsetrue 11241100x80000000000000005428046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:26.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:26.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C801DDB75984C9B0677D4DF8BF16F0D6,SHA256=8E7015B758150EAC688FD1684A617C83B142439F7130D3F9CCA5FCB1B765DF65falsetrue 23542300x80000000000000001535349Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:27.620{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD117BA4B40E97B348E819A558D9281F,SHA256=0ECB0028EF2782C909AF4ADD488330D440828419E1EEB87D91818282568CEBF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535348Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:27.052{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7169MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:27.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:27.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C9BF60056161FAE23916DA8414111A5,SHA256=183E766F6921C8DA77045324212CAF362D546BA20E2BDF9B52A83F0FC78E1949falsetrue 11241100x80000000000000005428050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:27.018{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:27.018{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0A1B0B44DB545C911042B367C721B1,SHA256=EC6F1F75AE3DC33CB4B73B6A3E3DCC95DD8E431364DE6CA26DF9A57D76895305falsetrue 23542300x80000000000000001535353Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:28.622{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE885041EA1A75371B4FF43D8155E871,SHA256=F55D67AB95D74EEF15BBCB3EFFE993663B61743706CC913813CC18F889CBF9C1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:28.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:28.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B84F4BCB867CABBA38304343D26B28C,SHA256=40CEAE682E11E9657E700DAA2D55092ADEA8C88D186CB0F1848B63E87AFEDA92falsetrue 23542300x80000000000000001535352Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:28.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=924808AECD5C9F15B250C4F26A4371E8,SHA256=879BBD2CB00E6505A09A12E73CB9F1AA5A85B6CDFCDDA23A0F9BA6D316CCBC0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535351Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:28.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF7B2D9804FCC6B69E128249BED48901,SHA256=D0610C435292BE53E430F073D9F983AF33011F02833FE8130BE7CF65077FF529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535350Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:28.052{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7170MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535355Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:29.625{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AC337DC946BC3F55650DE5829D13AD,SHA256=5B87BF7186B75A62F74F2141FED458F08E2BAACDC996F29762FE395732CEE4B7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.753{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.753{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B6297DE28B6E397EA5CDF0137B82A176,SHA256=B986302DA6C125B373B355571E669A4E4BE3CEFECB1A1D474DC0860CB507C77Cfalsetrue 11241100x80000000000000005428060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8DFC7BDE068CBA4F8D47E2F6260C9D9E,SHA256=D15ED4AC1AD4B9CA97D4267001D51AA728210713660CBDD452754A2D147F45BAfalsetrue 11241100x80000000000000005428058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FEFE8FBF90AA8F4DA6F2C49C9BA5515,SHA256=12BEF86243396D34861B28FDED969BC9495F1BC3BD2669A29ADC28AAE9492332falsetrue 11241100x80000000000000005428056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.065{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:29.065{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E88D8A76FE627C454C445A26983C89,SHA256=83CDB0BF64DEE061A4646C10B9D2A73EB4E67B8013050A66D8D93145FB68649Ffalsetrue 354300x80000000000000001535354Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:21.810{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60617-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535356Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:30.643{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BCC8A0B0FA391C3B67DBC38E9B551A,SHA256=A1D69B58B889C9C638CA6580512A2CF696A446FEE175BD39EE4A63C0DE813596,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:30.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:30.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=68A2CA7360A73CA494DAF4D136789073,SHA256=DEA3B7A70F9D0E848A87F28CBE7AEC34C08E36B7CBF3C63322232C637CE02024falsetrue 11241100x80000000000000005428066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:30.237{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000005428065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:30.237{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E4EE40A452A6F3C4E4B6968E24C0A3AE,SHA256=E21E821332458B400EB48C1FA52D3D7683D903C5D67C720D06481EB27E02479Cfalsetrue 11241100x80000000000000005428064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:30.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:30.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7D90B7EDDCF11EFA123F5E3BB9711E,SHA256=348109F611C47B860E889B6932041E7A170427C0C7E2E192763996917053A141falsetrue 23542300x80000000000000001535358Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:31.645{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D776BF9B83E54632BC2D9502B4EA7A,SHA256=A8C6D2B6A0A30F338E18726B90076435FF614E6B956523F1F03D77344752521E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:31.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:31.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE340DFC770FABEC6364CC24E6F2E34,SHA256=B6B8EF87583B05111DD7F68C1AA7C0EDBB6FFDCE77A47C1CEE51B46DEE230042falsetrue 23542300x80000000000000001535357Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:31.097{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B95E9113A441DE7C74AC634CD9BA4B34,SHA256=3B7F7BB7463F6DED632BF2463CD7E5D15E2C25E40BB351B5C05A5BFD8A00FC40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:15.828{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63372-false10.0.1.12-8000- 23542300x80000000000000001535368Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.662{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04DC31E1B47E18252B3027E662C64833,SHA256=E4AF629CE40863C67E5A23C9D4719288EAB2DCF46F2A0549FEA48500740B0EDC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:32.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:32.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DECB9CD3061CCF59ED7D2271AB97A76,SHA256=1E42EDEF0D2E87929526B500107CC7E7228140462FAA1B474F8C35AB9BB3BF49falsetrue 10341000x80000000000000001535367Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.599{AEE49BD1-FCD4-6138-2ECE-00000000F101}32125516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535366Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.480{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCD4-6138-2ECE-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535365Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.479{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535364Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.479{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535363Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.478{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535362Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.478{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535361Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.478{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FCD4-6138-2ECE-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535360Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.478{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCD4-6138-2ECE-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535359Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.463{AEE49BD1-FCD4-6138-2ECE-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001535389Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.985{AEE49BD1-FCD5-6138-30CE-00000000F101}8681844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535388Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.863{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCD5-6138-30CE-00000000F101}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535387Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.863{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535386Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.863{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535385Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.863{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535384Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.863{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535383Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.863{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FCD5-6138-30CE-00000000F101}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535382Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.863{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCD5-6138-30CE-00000000F101}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535381Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.848{AEE49BD1-FCD5-6138-30CE-00000000F101}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535380Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.663{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F131D2CDE81773C655E96A6B34A8573F,SHA256=DA32F78B27F5092BECD09EB802C695F111F3FBD1C116345E02F8B5BE4F289B7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:33.143{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:33.143{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC333D35D76E679EDC5109AB66486B7,SHA256=3853C30753AD2B520AA183B6BAEA847540134A52EA87F69F43CBBFD05E43FC8Bfalsetrue 23542300x80000000000000001535379Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.482{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09E1E4BA7F2E344DB42D0DA400826505,SHA256=70EBEB2BC5250873E208A463432096D27E6E429DF9113F536723BEBDC878E5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535378Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.482{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=924808AECD5C9F15B250C4F26A4371E8,SHA256=879BBD2CB00E6505A09A12E73CB9F1AA5A85B6CDFCDDA23A0F9BA6D316CCBC0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535377Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.285{AEE49BD1-FCD5-6138-2FCE-00000000F101}49084268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535376Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.163{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCD5-6138-2FCE-00000000F101}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535375Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.163{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535374Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.163{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535373Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.163{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535372Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.163{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535371Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.163{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FCD5-6138-2FCE-00000000F101}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535370Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.163{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCD5-6138-2FCE-00000000F101}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535369Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:33.148{AEE49BD1-FCD5-6138-2FCE-00000000F101}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535392Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:34.883{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09E1E4BA7F2E344DB42D0DA400826505,SHA256=70EBEB2BC5250873E208A463432096D27E6E429DF9113F536723BEBDC878E5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535391Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:34.685{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CBBE0426DE8609DEFBCA6B17AACB49,SHA256=251543038A3E610784739472C0B0B65340EC2415230A6F394591485702867051,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.987{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.987{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=828B57DEDE5037C2C8F6AC358FD51991,SHA256=B3421075872D8D184CCA17FB1216CDAF58FEFEAFAF57FE3D17FAA83142FEC676falsetrue 11241100x80000000000000005428081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=646EB761FBB717CE10177D65503B5B28,SHA256=05C6A7146AE094EF5797F03AF2B9F55B9D8827D5AE34F4897E4237A04E011014falsetrue 11241100x80000000000000005428079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4835459734A9566C6C135C0CE7F30F81,SHA256=3AB653B3640A213AF3EED7352A238521AD92F5FBB243C662AACA2D49EAB2B106falsetrue 11241100x80000000000000005428077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:34.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212E310E1E7514D5EE64026A4ABC3FD5,SHA256=90F0A2AE673B9152CACDB2D2F10601DA9E3B666E2542F494FDA1EFD1903A4F7Bfalsetrue 354300x80000000000000001535390Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:27.777{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60618-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535393Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:35.719{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194A29173EBE0569348E87F5BA1D766D,SHA256=A4AA6EA97828EF07070121E69B9D3D82C5583C4840FBFF733E7B772378CE4EEF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:35.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:35.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4252B6184CB10C09A3C0EB01A9B6DC12,SHA256=AC029E6804B1723CA150CFBD3FFA573363A4C8E4CD673FDC643FEB0620F2ABBDfalsetrue 354300x80000000000000005428086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:20.891{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63373-false10.0.1.12-8000- 11241100x80000000000000005428085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:35.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:35.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC996FF3610DD98F344B1D478CAC0CB,SHA256=06CB79927EF72E2A374F088683A44994ABB9E5BBE7285C8BE6B5BDC1C0DC5EB7falsetrue 23542300x80000000000000001535394Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:36.722{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604246D7ED88213A48785E3AB6C9C630,SHA256=2516F620118CE0B79A1C21D7EDFB3F7D13B7FEA4AC75B3AA5043632EF2EABC79,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:36.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:36.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB4BA900FD8D0E7EA47A7FDC4DEAEE6,SHA256=119AD406738C327229CB5D045AE1F1BF912B36AD7E642F971E35E6AFCCA8D277falsetrue 23542300x80000000000000001535395Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:37.757{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7732ECB1BA94D59D96D78483C9173C,SHA256=7E51046F567BDD3F57E04085CD8A0F180910959A1E6DCCC489DF24CBA11FB96C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:37.268{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:37.268{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F287C172B13A29D397A31477607F18AF,SHA256=C410643FAE5C351E7E4EA86508A3B7E2F436191CAD843FF8F036DD20C649FC5Bfalsetrue 23542300x80000000000000001535396Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:38.775{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D40C8D787E8252BD98E7EF47EE5291,SHA256=F131BEBFF09F9513B7C3ED31B7741AABC8836989545CA16A95A9979DCC542176,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:38.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:38.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0E10432EF0728C9DBFDC1C610188CF,SHA256=4B3078F61E1DF7A0AAA4B5A9A8B0970DA90079F618B36C913DC9412194BE291Ffalsetrue 23542300x80000000000000001535399Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:39.797{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=283DCB80562B9861F1CDAA0C3127BDAC,SHA256=6B5D6A1CB8731B21988A73F9A70ACA9CA153BF2B0BE233A5352C57349C730D3F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:39.878{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:39.878{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F0E5D83A1A9B7BF978329BAC1BF545F2,SHA256=E8BA618BE1A90233128CA6FCF90CE2A7212B2F33D66CC22E2BA7650385EBDCAFfalsetrue 11241100x80000000000000005428098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:39.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:39.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A694D54BF58A545BBDCA2BF4C68E7EEE,SHA256=4A857FCF6EE776F81DBA8B801B51CD7A1457B10FEF4D4F979FC07BCA45C2D31Bfalsetrue 11241100x80000000000000005428096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:39.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:39.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C06DB514EFC4D3D456E4C7E7383DA4,SHA256=6D790364A5834259B1B47F1125D71278D41A1259C9C75A5A0B4D1E13586F3BD3falsetrue 354300x80000000000000001535398Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:32.786{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60619-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535397Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:39.145{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=016C8F0CDF3338CB996DAC66A07EF0CD,SHA256=ED7AE6FA3DB74E6CBCBA6077E3A9A5CDF680DB4E2138D9D2FB20052928EAC372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535400Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:40.800{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD56FE22F22AB83EE32B939613BCFAA4,SHA256=5A4520A9782DDF5D68B5CC39CCD738E64E9CA33FAEE7124E087913858C2BB1A7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5EAA66E443B4365D741BE26BD898D096,SHA256=04C746959C180DFD1DDD819D45143A6F3EDC0482B27ACF9717FBD85DBEF08560falsetrue 12241200x80000000000000005428112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:11:40.549{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005428111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:11:40.549{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005428110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005428109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=41A52DCFD0492F8A0A2131C9D1349156,SHA256=6B2074AC4710253458ECD0ADEEB6E7C4CCDEA7D1C863444C36C8C972F2F3C98Bfalsetrue 11241100x80000000000000005428108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005428107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=99359BB661394E6F312679FE490EA1AE,SHA256=BCFF975B9F219277591578126601E93794C46286C4571755E3842D9E475CDF33falsetrue 11241100x80000000000000005428106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2979593BB47585BA72AB4FFD9180C8,SHA256=9A24771CD87487F2C03E018BB2F277C87465060FF36B19FC80F93067136C1EF8falsetrue 11241100x80000000000000005428104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A09DD381171E270D28DED07C9F090CAF,SHA256=C459D6B41C6129B7CA2E793C18F23AB914734E80CFE4BE1CA20AEB3BE0E05079falsetrue 11241100x80000000000000005428102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:40.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C39D439CB508DECF2FB38F8A18852BD,SHA256=B66D64B94AB82DBC77949D0D389AA60D3AAB267B43E63EA8BC5FFBABF3816553falsetrue 23542300x80000000000000001535401Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:41.884{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CED2CB4C3DD7D22E7A1C45B8EE0B604,SHA256=138C73651CD552DA1C9C80FC0075C80BB7BC5836875B99CC29F8B9DA9DEE0C91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:41.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:41.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A09DD381171E270D28DED07C9F090CAF,SHA256=C459D6B41C6129B7CA2E793C18F23AB914734E80CFE4BE1CA20AEB3BE0E05079falsetrue 354300x80000000000000005428117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:26.718{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63374-false10.0.1.12-8000- 11241100x80000000000000005428116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:41.393{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:41.393{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010DA2C7513EE7E945D3994D98F0ABC7,SHA256=502EC6105686ECB9889D25378EB7A5D462FD8D2D426AB25415A7D1CB4536B640falsetrue 23542300x80000000000000001535410Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.908{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC4C90D6A071E4C42991D951763FE25,SHA256=E05A037A40666F94CC88385226B7D362AD8C7C37CED2958CFAAE06BC92DCA9C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA428C3BE241260A5AC0ACEF4BC6498B,SHA256=5AA6218874AD8EE07E66D51CB7D86D31ECCD98E550C2AF63039586179E98F3E4falsetrue 11241100x80000000000000005428154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADDC6F7D16FBBB017D982ECC033D69E,SHA256=27800AFEA39853D9A2918ADC55AB161280A4EA2E9889C6EA281FE43E42DB5F96falsetrue 354300x80000000000000005428152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:28.207{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local51509- 354300x80000000000000005428151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:28.206{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local57473- 354300x80000000000000005428150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:28.205{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local65149- 354300x80000000000000005428149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:28.205{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local65089- 10341000x80000000000000001535409Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.855{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FCDE-6138-31CE-00000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535408Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.855{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535407Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.855{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535406Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.855{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535405Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.855{AEE49BD1-415A-6132-0C00-00000000F101}7244412C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535404Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.855{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FCDE-6138-31CE-00000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535403Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.855{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FCDE-6138-31CE-00000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535402Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:42.840{AEE49BD1-FCDE-6138-31CE-00000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005428148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005428120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:42.143{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535412Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:43.926{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1D66EC24FC782866E6E38478C07E35,SHA256=E29D35DFC02398CA661E3D5835F34B77392AAC7BCC40BDC4B2677204CAA9F21C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:43.503{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:43.503{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000A730EB77A2895EF83DBE4DF0025CF,SHA256=4CFB0AF6AA75D1B78A8052CBC58950A6FE602B070E21EFA405279B8591AFEAA0falsetrue 23542300x80000000000000001535411Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:43.841{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A4D7263497715701344D41FD1AC789B,SHA256=BDF6D0C16D25A64F55EF2D762617D1B42AD31D605EA9FA6C05D736B5143729BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535413Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:44.928{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D162D52C05B901393258FE0C44680C,SHA256=416065FB14CF43BABE8CF38DC9309D4B811FF86CCD4B1DB35E16C2AD201258BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:44.909{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:44.909{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7749FDEDDA8E953A3A997903683B8282,SHA256=F02F80946D78223BFB7A645EB12EFC5181C92879C7FD7018FB4BE0DCC1792FF3falsetrue 11241100x80000000000000005428162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:44.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:44.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4AA6328C6E05024597EA9860095FDD3A,SHA256=85EF241CCC4C77274156066A39435E99E98C296ABF621711BC0216590671F13Cfalsetrue 11241100x80000000000000005428160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:44.565{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:44.565{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B2F6A02E8EB898D1A94E1B997866D4,SHA256=7FBFBCE17433F3615513C675F2E166D0361901568C3180CDD8FE63A7F491F9E5falsetrue 23542300x80000000000000001535416Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:45.930{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3FC8FD96C2E6B0FA4700AD053C853C,SHA256=0114EF1AEE04ABE6EEBB9929C227A91FC521B9CB9E8B7CBDC2F43B5DCFE1950F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:45.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:45.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3907995DA255F8EB7B73DA81AAF9BD00,SHA256=9B800986061B33A8C4D1B1032519ADC5E2CCFF63CFFFC599E1ACEF85DF6CF7A0falsetrue 11241100x80000000000000005428168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:45.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:45.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B8B469C1594EF96FF6F8D61F84CF03,SHA256=05F6FD8B12DF9D09A95F979967499592B63925C807BBF3272D44C1D3D6D3220Ffalsetrue 354300x80000000000000001535415Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:38.716{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60620-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535414Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:45.090{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93E670FB023FFE979B68F32DC4604EB2,SHA256=0989DDFA98E45ABE3E74D03D16C8A6CDD104E4E8CA6723CC6FB85AF675E03AE6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:45.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:45.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=384A18342B4101845E7C08CB479D9913,SHA256=9167D9A5CF6B3F569B47D458AFF5069D03EEF53DAB055C35286C73BC38F83C74falsetrue 23542300x80000000000000001535417Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:46.932{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82AFD025C2133145D94299B731F38A4,SHA256=556D1A432BBA8F1ABE558D38956FA1E156BBEC57566D686311DFA2C3541A2452,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:31.906{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63375-false10.0.1.12-8000- 11241100x80000000000000005428172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:46.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:46.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EEBC371123955D88169F635DC44AC77,SHA256=CDC61398E46D94AD8F5E2D0A6E7EDCF2D4BE205DA332FAD53FFE4F78F1D3A497falsetrue 23542300x80000000000000001535418Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:47.935{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1FB80A485F2A414C798316C822F02B,SHA256=5CC1C9D60604F04C772B683D0E66C36F13525431396E185F2AAD9335F1DBC2CE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:47.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:47.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78BF19FBB6423E45B91DF28A2299FF2A,SHA256=51FE648C1DFCB31E1B7B985BA289E78720ACD22937A01F39CA9996E667FFF118falsetrue 11241100x80000000000000005428177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:47.688{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:47.688{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DE423B300031218C0BC00CEC3150E3,SHA256=67EF9B8F4AA683A0F3BB9895329406FB48D7145DF8B43AA25786DA58125C7043falsetrue 11241100x80000000000000005428175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:47.610{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005428174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:47.610{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 23542300x80000000000000001535419Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:48.938{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D960ECC4C177931B3C074131B455ACA8,SHA256=8A68F48C3DC92BC890BB7DC0D78EB31EF395353671EEEEA121BB2702FD268906,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:35.263{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63376-false10.0.1.12-8089- 11241100x80000000000000005428181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:48.704{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:48.704{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC942437BDA4E94E1C103030975DF04,SHA256=FEA2B930508231017267C290984233231F690E729B8E39908B04BFBE67C3CC71falsetrue 23542300x80000000000000001535420Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:49.941{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3E0471CACA1147092F7443D68FE7A3,SHA256=64F0689810A9632566DC0D5B32A40F89AD9DA7412C42BD62B8A9054F1C55B6AC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:49.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:49.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=70E95234BACD238E70AA3AED4338E97A,SHA256=F1DB7FE6DAE6ACFBA2702571B1E3CF2DFA97F88048B87150E845D8D7D818A175falsetrue 11241100x80000000000000005428198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:49.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:49.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C91546BC869CC123294DB2E73D606FD8,SHA256=C064957BE1F5E1DA39666B483C1A72EC53C9349DA3DA37F1CA3850D2CA771D6Afalsetrue 11241100x80000000000000005428196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:49.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:49.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3FDC96E2B52E108D832D649143E640,SHA256=F8226EBD3F6BDE3BE0709C4F5D462FDEF73D281ACF56463F7B9EE7CBE7653E49falsetrue 13241300x80000000000000005428194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000005428193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1a54a846) 12241200x80000000000000005428192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000005428191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4d4-0x9badc8b9) 13241300x80000000000000005428190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4dc-0xfd7230b9) 13241300x80000000000000005428189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4e5-0x5f3698b9) 13241300x80000000000000005428188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000005428187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1a54a846) 12241200x80000000000000005428186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000005428185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4d4-0x9badc8b9) 13241300x80000000000000005428184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4dc-0xfd7230b9) 13241300x80000000000000005428183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:11:49.360{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4e5-0x5f3698b9) 23542300x80000000000000001535423Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:50.943{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7388493D39E91B92A96BFBFB4D71BD2,SHA256=FFE2977B56025525131025B8899B76EAC92C8F4F8E77000BF85AA704D8B23C8C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:50.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:50.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5D805D1263C2C19AA4ED06EEA32CF5EC,SHA256=DDBE15C7C9D636322EAF0CB06B5662C8306532281C6F07B0800AE40FED32317Ffalsetrue 11241100x80000000000000005428202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:50.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:50.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94154ECDE12EFB6C9A9177D286D22D0,SHA256=4AC0B46CBE6DAE85D0870ADC1F3BDFA5C04A9F35FF2FBFA6C39C0C6590B20AD2falsetrue 354300x80000000000000001535422Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:43.729{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60621-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535421Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:50.072{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEAB431D6B91FD06B8ACDB7FAB6E575A,SHA256=C65C658FDBFAB46B39527252836587BA54DBE4E94B6DE606D1959EC370991582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535424Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:51.944{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1CC040C27660E68803AB56CEB5F55E,SHA256=8C3CD8381C8D9FC6EB70A69C5C5E6607F2620806009BD8FF8C2922766DC30369,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:51.751{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:51.751{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0FA7A195B40E10E13B2247228CB2A4,SHA256=8463832549CC8284E43DFD58FD07E3D8D7E852DB8A1D1D0783411D7B460A5F72falsetrue 11241100x80000000000000005428206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:51.407{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:51.407{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27F0DF3038262E9830C0FB7A4BDEA44D,SHA256=ABAA7F725B3C4F483AB8540F689BBCECFF2EF483A0069C51F479329FDE247780falsetrue 11241100x80000000000000005428211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:52.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:52.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C020AEBE9D3629C55BEE114BE16B2620,SHA256=8760F869D7450F994885A69B7245726596D05199E79AE2F39CFBF2298E86B1DAfalsetrue 23542300x80000000000000001535425Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:52.946{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE3F8D131900E889660784F7EA57195,SHA256=76B4A603C81A27090834F326AD2AA03E302C6BD14D4CBDB5096D62A2A6985FAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:37.826{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63377-false10.0.1.12-8000- 11241100x80000000000000005428213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:53.782{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:53.782{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A309A3E6AEA8D33480A8DFB5261C45,SHA256=CAB6A10463F22F0C31F0D92691E98D1342F60FF55BC6DEEFEB1A23F5B95DD948falsetrue 23542300x80000000000000001535426Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:53.949{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE40E2DD42ADCC89C5542B25D33AE1F,SHA256=454A49AF6EB9BA4545513F3AB7D7F3FF40E793CC0D9E3C48C492A448F1537C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535427Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:54.951{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01BB647E4B4C58E173B936438B2B050,SHA256=6242DC0916509ABFECA4449A9190C233365A161DBBF5580FC8FF8402B1E7CBEE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:54.797{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:54.797{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6177FB9E653DC95E86062FE9AF19C6D,SHA256=6D82458C118A15AA427DA4F32BA93F28740DB974BA26B6D6BFECA69212DAB694falsetrue 23542300x80000000000000001535428Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:55.954{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18142C7193C273098402E7DDEB89CC7,SHA256=897554B93DB96E81C7937E690C667C45EBE9E280DC9731FFAD1FC159A218C849,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=72E80CA87DBCDB3D7E2BFC228E4D7F7A,SHA256=887C023CB4E090FE24FB264423C58CDB3456DC19B7B58037FD9AFD54764777BCfalsetrue 11241100x80000000000000005428221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.813{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.813{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFCD5F2459ABFD9AA73C0F12EC672517,SHA256=F2858386604A563D2F30F995B35FAB896BDCE1AB5A23C26A52A3F4179831CBEAfalsetrue 11241100x80000000000000005428219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A99483446CE4A1869E5C35AD0404373B,SHA256=ECE02BC138C4806FAB1CE9142ABD46984A6478C53F55586F7D743D8101BFAB97falsetrue 11241100x80000000000000005428217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.266{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:55.266{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5F4C0292BA17DCAC36294DCA7F99F440,SHA256=6F61A893F34FD1F7B1ED23C7A133EC1D5301229461793AF2DB52FC88E2CE8E2Cfalsetrue 23542300x80000000000000001535432Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:56.956{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C09B1B153EFC955CF482D5F6504081,SHA256=507AD6F90B61C7BEDEE7B162BC14D9EFED307E3B0F2F76AF54410DF3D0EADA8F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:56.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:56.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BB1B9874CF61FB4323AA111CB54194,SHA256=0F020484490612D429A673A2CFDF4BD973AB38555112B291656716E4AE540899falsetrue 354300x80000000000000001535431Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:49.691{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60622-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535430Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:56.038{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F86BA1E6107A50CAE37D9A527D1699EC,SHA256=73B97A519178E7814D43F57706F42B522BC65AB2F30D5D820B389A48B49CCAAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535429Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:56.038{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBD9269254B4E7444CB884D552F8BA18,SHA256=6ACCBCD2BD85D535F9DCD902F685184B812AA144EC7C93B9569ED89BCCFCADD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535433Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:57.958{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B478271E03D71BE4817FAF50029113,SHA256=BF65C25E57DE41B3C59F5BFBF9C44944188A3D16267D197224E2D472A3334E6E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CF767A12DE1EAE5317BB80D43DBE9D,SHA256=72E680395F31AF6366946EE07D5E9C99CFD091874F131F54F47400D90622F4A2falsetrue 11241100x80000000000000005428229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09AD9586AD2F7083A8EEF7400CB8FBC9,SHA256=FF2067F9D7175087D9830C904CF6519B9BDBFE890024CBB747CD9F5906A4C734falsetrue 11241100x80000000000000005428227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D557A5D8855271D4C584AFFEAB5F9D0C,SHA256=33F01C26BFF89978D7105F1274C8B4EA965374EE2A1A30A3646D105DF157D741falsetrue 23542300x80000000000000001535434Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:58.961{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F660A5D3E90EBF85591F6F96CA296C63,SHA256=D3928AF7FAE359EF7E7C384D677FD116A320675D60101C56EE416423A3507BE7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:58.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:58.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546DC6567364A1B478294B05F3D9F0F3,SHA256=C64736297D507B3C8FD51ABF704F64CD2E090D71DB18166EEFA8E6556E82C0E9falsetrue 354300x80000000000000005428232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:43.732{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63378-false10.0.1.12-8000- 11241100x80000000000000005428236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:59.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:59.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202A077A47BF2DAAA8EFF4D3B7785AF0,SHA256=E88DDD7E757DDAD90C206613A42C66CE4ABF41D81BDB58AAA25EFA4F575710DCfalsetrue 23542300x80000000000000001535435Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:59.964{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8EFFF069DB522CC82680A11830F5D6,SHA256=FC5F39FC70BCF4187AA9D15E7259A05BDC829F2118271EFF0547FB9B6829AEAD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.938{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.938{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78723483A9F7A8A739596BF4039E5899,SHA256=92167CB5217948C54292F871BA634514EBD94451AE1EAD978D05B2F9EB3496E5falsetrue 23542300x80000000000000001535436Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:00.967{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D58ED8739907E9202EA20E4525EE13C,SHA256=BF3CBCC5C1AB82D8AD20E164412D91D942C11E9667C28EAF5469292D04AB9F79,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C10C0BE58731B1407C0E509BA9AF69C6,SHA256=FC6455C3BF0ABE218F0A17C7835FE1371A799BBAFA57729D5A99ADE69741152Cfalsetrue 11241100x80000000000000005428240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.172{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.172{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BC9474957C0232C5414959ED1C257FC4,SHA256=96A63FE9B545383870DF41FFDC51078C2ABC5AE8424C4034B4A5226F716E53BDfalsetrue 11241100x80000000000000005428238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:00.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=83BC633D50A32207313704F48328AFF2,SHA256=74F0C0EFC29897E982CA50B49E6E45970B937F7413C1E95E08E3637AF97105E5falsetrue 11241100x80000000000000005428246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:01.969{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:01.969{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF6600D847D1ABAB84152862226E659,SHA256=54D540AE897B7AAB807ACAE09BA13A746D784DE12A1D21BE3C5082228BFDC0E9falsetrue 23542300x80000000000000001535439Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:01.970{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B263A5D4D0406DA93AE87F1F8439C4,SHA256=68B971E478CAB16E7D69F0D8BDF652FA398ACDF220397F605A6104C740692BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535438Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:01.167{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AAD22FAD55E4F81E2AF4AFAA8044111,SHA256=5EC43168F921FB37E931D43EE5237FB8AE696A0DC0B207F510CCB94D6A689DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535437Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:01.167{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F86BA1E6107A50CAE37D9A527D1699EC,SHA256=73B97A519178E7814D43F57706F42B522BC65AB2F30D5D820B389A48B49CCAAC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:02.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:02.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5852EF1E00847BE9299ED51A949257,SHA256=C6FAC478FB658AB88955793D005676D94BDEA9682DAF5D80D4AAE588FD9B0A8Efalsetrue 354300x80000000000000005428251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:48.872{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63379-false10.0.1.12-8000- 11241100x80000000000000005428250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:02.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:02.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39446940A7C870E33B0BF357C0E691ED,SHA256=1D629A30C29D9997D1AC915A542360F5346368FAB0ECBE589DCBB84450F1EFE0falsetrue 11241100x80000000000000005428248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:02.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:02.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09AD9586AD2F7083A8EEF7400CB8FBC9,SHA256=FF2067F9D7175087D9830C904CF6519B9BDBFE890024CBB747CD9F5906A4C734falsetrue 23542300x80000000000000001535441Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:02.972{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40895FC3EE34DEC7E45D5B678716090D,SHA256=C117FB452CA1CC189BFB20494C73FC263F38C8D81CCFBFBF4DFE3D6D351AB6C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535440Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:11:54.824{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60623-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005428255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:04.032{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:04.032{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10D4068AE854E0501D953EC99136A91,SHA256=C820B343F068B0D1A957B3009A1DFC7E2868B3A6B41AC8E089D95FDA36FDBE49falsetrue 23542300x80000000000000001535442Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:04.007{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE2B30A47DD6CDF7A8D9E5007ED23DB,SHA256=585A66FD6317522116EAF5D37BCF613A86C365F1C0D339AF0780E42D21DDA801,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.954{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.954{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A6D9D0E9D5D9655D4DB98A04EC5124A0,SHA256=9B22130A32EF12DEF762823C5434CB3B7EEFB43F1E02CF3290A56167101F58E3falsetrue 11241100x80000000000000005428261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.454{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.454{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7516E774196951AEFC4FC14219A00C4A,SHA256=C089D0A1039E5ABB33A0749D8EB35E3AD51FDE94736695023339C3446AF6A99Efalsetrue 11241100x80000000000000005428259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A8C9DF075AFD1E67A9CA1B5AA0EF7FAA,SHA256=ACD103F79694C92315D9E430FD95DCC9EF4C4E4F498E7DA0229345C15F60A187falsetrue 11241100x80000000000000005428257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:05.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D560AD9D0936E9159D4A39D1097A05F,SHA256=2A63C98B8201AABBF2F4D620056CF96BD533E2728AC359F09355369E595E7F16falsetrue 23542300x80000000000000001535444Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:05.780{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E21D0F8811C73FA330965CC33DEF3C2C,SHA256=F5A4931A7F381D8F30A08ABA2FD170D9DD722D147F95E72996EE3AF5115780C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535443Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:05.009{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6168DCFBACD8919F34720C2A19C2AA98,SHA256=72E200E2122FB66794D01FAEDBADD5C144B0C1AA33DF790EEA28028374CB0467,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:06.391{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:06.391{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C7B8155E733C176F3AD8E79E6ED291,SHA256=4A85AF2A28EFA2C276F9A6A1EAAFADCCBD197DE39BD6BED66BB4A9A4E942775Cfalsetrue 23542300x80000000000000001535445Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:06.027{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBB0ABE2CAB539E774A99CD21ABB96B,SHA256=758E6468AF8B11DCD099B7485418A6B5CE7E91D460AFD7134A1E29AA2E6866C1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:07.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:07.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CAF5E0F21CB00D1D4591F1FF3E40057,SHA256=4893FF344846BE65CDCBAD49DE57219AAABBFB7E8DB7FAD1C8529F66B755707Bfalsetrue 11241100x80000000000000005428269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:07.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:07.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39446940A7C870E33B0BF357C0E691ED,SHA256=1D629A30C29D9997D1AC915A542360F5346368FAB0ECBE589DCBB84450F1EFE0falsetrue 11241100x80000000000000005428267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:07.584{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:07.584{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4651A36E547876268FDC20153501380,SHA256=53214BDC5E36B9653F063762E46D62333D769FCD6979BF509F599D6D9888718Bfalsetrue 10341000x80000000000000001535451Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:07.662{AEE49BD1-4464-6132-C502-00000000F101}45004828C:\Windows\Explorer.EXE{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80137AEF8A8)|UNKNOWN(FFFFF8CB6D4A5B68)|UNKNOWN(FFFFF8CB6D4A5CE7)|UNKNOWN(FFFFF8CB6D4A0371)|UNKNOWN(FFFFF8CB6D4A1D3A)|UNKNOWN(FFFFF8CB6D49FFF6)|UNKNOWN(FFFFF80137807103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001535450Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:07.647{AEE49BD1-4464-6132-C502-00000000F101}45004828C:\Windows\Explorer.EXE{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80137AEF8A8)|UNKNOWN(FFFFF8CB6D4A5B68)|UNKNOWN(FFFFF8CB6D4A5CE7)|UNKNOWN(FFFFF8CB6D4A0371)|UNKNOWN(FFFFF8CB6D4A1D3A)|UNKNOWN(FFFFF8CB6D49FFF6)|UNKNOWN(FFFFF80137807103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535449Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:07.647{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1a4cf0d0.TMPMD5=D01734B513C185F70D31918B721F4959,SHA256=42EEB2A2D24121428DB1C3CED6B22CD4D28DD42208C27788AE4A4B1C5C2C9541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535448Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:07.284{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A50CEA71E0F550740829D804F574E6D3,SHA256=2C4936B45E9BF3ECB3460ABC300DDD854F947EAF26346CF94110BF66659FB52C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535447Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:07.284{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AAD22FAD55E4F81E2AF4AFAA8044111,SHA256=5EC43168F921FB37E931D43EE5237FB8AE696A0DC0B207F510CCB94D6A689DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535446Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:07.046{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377A293F4F4699AFCCFDD20EED69AFE1,SHA256=CA0F637805CEC9D701BA4A10BB2672142EDBE514BF92E40506D29EA9F55F9A0F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:08.662{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:08.662{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CEB9D56059C75A1DBBB6F69903E59D,SHA256=EA6F10D254CAD5760E49D1295C89E3E8649FEF41EE8905080F0326D486390A72falsetrue 354300x80000000000000001535453Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:00.755{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60624-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535452Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:08.066{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48E08FFA40730191D49E3F8914438D2,SHA256=2FDEE4D4CADDBDADEE946E2CC92DE5C44C55FA637EEF64CB7CF30682A2AF6CBA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:09.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:09.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62EE7D4E91BFB1AEB15011596ADA8B33,SHA256=680189DC2A5BD2A8B713C5F159574701756BC9190103C56BD42BFCE8DDA801CEfalsetrue 23542300x80000000000000001535454Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:09.068{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98FBD7D29C781416F450F27D02DD7081,SHA256=FC0E08D3A6BAF9A774FD727433EC592AA4AA6B907ECE353E385E75F68E422609,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:54.740{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63380-false10.0.1.12-8000- 11241100x80000000000000005428286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.990{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.990{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0059BC91078708BEE9079E69DB6172E5,SHA256=81F3072D84DFD7F45EE0902125BDB5CF6A0B521920548048050DEF2FC1B2920Afalsetrue 11241100x80000000000000005428284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.709{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.709{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1525CDD5ECCDAD745D4B65F46841E48A,SHA256=802443AC42331DAEE3CB81C85DFCF27476CF6C9A0B2194B2D28C396BE47E790Bfalsetrue 23542300x80000000000000001535455Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:10.072{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEFF3CF53E4EEE91EEE2CD6FED8CD796,SHA256=FB916DAC36226BB263997D2930EA643FF76059314CC1C3AA9C1A391CF481905B,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005428282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:12:10.209{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005428281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:12:10.209{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005428280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.178{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.178{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C2674BDF3231EFD57B4B797374ED254C,SHA256=71C3DDE062593A102AA62B8126072F6E421E0785F6D51CBA62428494F594D5A3falsetrue 11241100x80000000000000005428278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=46BE56F109D4FE138BCA8A1C6B25240C,SHA256=E38A8B40A7F6345FC7DA9BB91C35BA4EE19751A076C4A96ABFBCB35377F1DE4Cfalsetrue 11241100x80000000000000005428290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:11.742{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:11.742{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF0C17445037E988E4459305ADA09B6,SHA256=DE297DA6155C1673DECC2E2466A2E991E5119A2A5C2113D45511D6569B69A934falsetrue 23542300x80000000000000001535456Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:11.074{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785C6D05BD6EC6BAECA02DBAA8E1B12D,SHA256=99BF47751C63C05EC678AE860FF6930ED5BD767ED4BCAF4F844A48E662B3C27B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:11.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:11.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CAF5E0F21CB00D1D4591F1FF3E40057,SHA256=4893FF344846BE65CDCBAD49DE57219AAABBFB7E8DB7FAD1C8529F66B755707Bfalsetrue 11241100x80000000000000005428297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:12.757{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:12.757{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2D54B7F361B1E4B2466237742CB52C,SHA256=DDFF20E6220427B1878DDADB8CAB26A2C35A115A63A5F9BE7E26ADA134D839F2falsetrue 354300x80000000000000001535459Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:05.785{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60625-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535458Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:12.179{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A50CEA71E0F550740829D804F574E6D3,SHA256=2C4936B45E9BF3ECB3460ABC300DDD854F947EAF26346CF94110BF66659FB52C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535457Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:12.077{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF757184A87A1FE2649E09AFFFCCD6D,SHA256=DF0E99DC195B6ECA8BBC2F70D6BBABA6571E98E4AA87C276F3F6D81742591B42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.862{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63381-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005428294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:57.861{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63381-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 23542300x80000000000000005428293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:12.057{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7179MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005428292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:12.056{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71792021-09-08 18:12:12.056 11241100x80000000000000005428291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:12.055{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71802021-09-08 18:12:12.055 11241100x80000000000000005428302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:13.789{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:13.789{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7223A248AF68B9AB4A02CFCDA144F848,SHA256=3515FD589034FC22FF03EF7BB3D0476C679047CCD75B6A5FCFF871A7E8BD142Bfalsetrue 23542300x80000000000000001535462Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:13.982{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97A933C5BA92AD61FB93F09B36DDD714,SHA256=B1E78AABBD6BD61BFB10ABE6085445E57DE2CBC61C0A0C520C13FE09715F24A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535461Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:13.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF58F69267F86352252EA14B6C02F77,SHA256=90F6E621F352EC15E9AA2C3DEC29CF764DB32113130CEDA9C266152749477166,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:13.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:13.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94B94DAE20B5FEAAC52A31A971589498,SHA256=B6D02D336D66C278A2A4A7B397F228A87D29A9ABA7564AE1469EC93865E2BDB1falsetrue 23542300x80000000000000005428298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:13.070{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7180MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 23542300x80000000000000001535460Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:13.000{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:14.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:14.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83782BC187E153F24AFA8A14A9B4903B,SHA256=B6773C049886109651C75A7395B4C77905D23E10C1A66F96DF0E17D3B52548F6falsetrue 354300x80000000000000001535464Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:07.636{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60626-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001535463Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:14.118{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BFA60A94EC8F319B05864D6341AC32,SHA256=BA14C5E61BBE7E0F9ED6D8C3F288858700A4C202C06F7F1F481224447C0F8C37,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:11:59.847{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63382-false10.0.1.12-8000- 11241100x80000000000000005428311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:15.851{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:15.851{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83AFD2C5B35093C82A11EFC6009D303,SHA256=9C93331E714B0859203B9E5231B345701F06E7F1259ECC6AAB6832EC63A94971falsetrue 23542300x80000000000000001535465Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:15.121{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3447822F9B050B78AF198A4FEA9C2F29,SHA256=3DE51F25B89C492731A34EE11FAE1B5DDA4023DE56D48B49ADE2221C05A3A8C6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:15.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:15.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=632C2DB6EFAD119F7D26B544F3F7E471,SHA256=329996EEF2421474F1CA5219C217162846B49B43AED7A8AA2EAD1D81748E9D4Ffalsetrue 11241100x80000000000000005428307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:15.148{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:15.148{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=73AC51F5EA55EEDC4FA5EFCEA84F7845,SHA256=5B3987EFDD9CCE4C77128BC00C78D77B36A41C470C963FF51BEA9C54C2940A8Ffalsetrue 11241100x80000000000000005428315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:16.883{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:16.883{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36CD2922863345954954F296926DB72,SHA256=E51CC8B0A9DB88491C0BD045002F77D70CAEE3C25481C179353F40CF8828B69Cfalsetrue 10341000x80000000000000001535474Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.990{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD00-6138-32CE-00000000F101}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535473Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.989{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535472Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.989{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535471Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.988{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535470Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.988{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535469Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.988{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FD00-6138-32CE-00000000F101}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535468Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.988{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD00-6138-32CE-00000000F101}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535467Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.973{AEE49BD1-FD00-6138-32CE-00000000F101}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535466Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.123{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60499E010E0DE3D5949284033DE1325,SHA256=7777229882D64B342333D1F0F0D4D0CC43A4C2E19E1EBB1BF4F5CC8ACCB31679,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:16.039{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:16.039{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=514CAEF299B67869A6717FED6246A0C1,SHA256=865B386893AF458A3D3D6057599D20845E4D8B4911F405BBC4B662E971370FF2falsetrue 11241100x80000000000000005428317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:17.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:17.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BADAFEFDDDD2D552A31484D5E7BADA2,SHA256=459FE8B51DDBCAC7760B5E8FF1AF57DE3648E4BC07EB0646FC77A085FC7B5955falsetrue 23542300x80000000000000001535485Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.992{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62A0490A77D643E1DA966F8B5C812B68,SHA256=1C71A66E9C9B3949497837166DC1B7A4FCE0EFA64BE6F0E543C42464665985E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535484Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.526{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD01-6138-33CE-00000000F101}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535483Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.526{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535482Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.526{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535481Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.526{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535480Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.526{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535479Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.526{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FD01-6138-33CE-00000000F101}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535478Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.526{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD01-6138-33CE-00000000F101}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535477Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.511{AEE49BD1-FD01-6138-33CE-00000000F101}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535476Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7117D8D832C479A6ECA4BFAB94DA261A,SHA256=686188C7148BEC8E8C3803E8B7EE00A15271B15D0B8AE048CC7C792A8120139B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535475Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:17.109{AEE49BD1-FD00-6138-32CE-00000000F101}14964372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005428323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:18.930{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:18.930{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D37C7738449539FAA9B6715742FF6F2,SHA256=2B353258C570B210B36E837EEF065A72B5DDF254DA8FE50274B8661CE8F48CD6falsetrue 354300x80000000000000001535495Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:11.784{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60627-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535494Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87E0E6D0A6AEE4E3695843054B90D88,SHA256=AC3F70FE7F1B433F321B2D41866D3DB4158D06ECC82B823F0686E3433E11C684,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535493Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD02-6138-34CE-00000000F101}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535492Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535491Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535490Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535489Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535488Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FD02-6138-34CE-00000000F101}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535487Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.126{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD02-6138-34CE-00000000F101}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535486Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:18.111{AEE49BD1-FD02-6138-34CE-00000000F101}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005428321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:18.351{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:18.351{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEE8DFD9459C7FAD39769320E4098E83,SHA256=699B91E593F1B815146D5649C654D4D0066E6EE525887190629E9F2872C238A4falsetrue 11241100x80000000000000005428319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:18.351{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:18.351{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60E5BA48789AF47463A312D03E1C34A5,SHA256=49D2DF23EC4F6E7DFFFF556D1BF257DA7591ACD543CC9A3C56FBC87121B639D6falsetrue 11241100x80000000000000005428328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:19.992{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:19.992{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0EA793DE74B934C6A75C2EF868BFE7,SHA256=3DD7707C164130A44452795E52BF11CC9BF153223D9EEF347F5699478E8D8456falsetrue 354300x80000000000000001535498Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:13.201{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-296.attackrange.local54998-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal53domain 23542300x80000000000000001535497Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:19.126{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEB447974B9BE72384B1B20D4E590A0A,SHA256=ED62A928CB02B041F27B627CF0E45E77231952297DD8E9D0980ACE455430A270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535496Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:19.126{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4FECD585CB7B33F0D6590F2B6F702D,SHA256=E05879BF45CA6E3451721811926A30D2298F072468396EFDD9EA2DCAFAB5ABA0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:19.586{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:19.586{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEE8DFD9459C7FAD39769320E4098E83,SHA256=699B91E593F1B815146D5649C654D4D0066E6EE525887190629E9F2872C238A4falsetrue 354300x80000000000000005428324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:04.894{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63383-false10.0.1.12-8000- 354300x80000000000000005428334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:06.197{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal51686- 354300x80000000000000005428333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:06.197{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal54998- 11241100x80000000000000005428332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:20.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:20.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AEA1E36602059A360ABD6C78B3B472AA,SHA256=0A04D6E61A3562DE3236A80717593CBD840D5EDF6705F291A1D579FE6628B1E3falsetrue 11241100x80000000000000005428330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:20.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:20.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B1287F4A02C2356CF9E0FFA2108032A2,SHA256=965EE0CE3AFA1DE235F271E0864858B5097C6BC5B7F059D2923B92B66A1FB290falsetrue 23542300x80000000000000001535499Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:20.129{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16041ADD0961C873BA7E3FA86BF806FF,SHA256=02563A19ABC5D777AB15A10766CE6A51A32D01D0F877FBCC5C0CF076CD309E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535500Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:21.131{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D2492DCBF4AA9824C3C894A67D6E30,SHA256=EE4141369C928A8F01A4DAD064339301966392AB97D77C91DA4A068664C16A29,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005428445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.976{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005428441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005428439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005428424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005428421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005428408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005428406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005428405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005428404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.961{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005428403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.945{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005428402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.945{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005428401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.946{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005428400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:21.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:21.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:21.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005428394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.398{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005428393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.398{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005428392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.398{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.398{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005428390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.289{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005428386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005428384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005428369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005428366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005428353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005428352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005428350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005428349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005428348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005428347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005428346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.273{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005428345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.258{4DF467A6-FD05-6138-25D4-00000000F001}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005428344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:21.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:21.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:21.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:21.258{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005428338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.086{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.086{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BDE875D7170388C5E3CF886A78B89BBD,SHA256=05E922A720C7FE0649A80168503F24D2651A9F893A1FD2675EAF1AECCD561962falsetrue 11241100x80000000000000005428336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.008{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.008{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301AA4F3E126C8B9311B37AB75D0AF6A,SHA256=A63CC1EB536638DF82FF4E93CE3A8B63F3B08B6CCE719410E0EE43628475A3E7falsetrue 534500x80000000000000005428512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.773{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005428511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.773{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005428510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.773{4DF467A6-FD06-6138-27D4-00000000F001}56848044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.773{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.773{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005428507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.664{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005428503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005428501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005428486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005428484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005428470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005428468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005428467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005428466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005428465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.648{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005428464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.633{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005428463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.633{4DF467A6-FD06-6138-27D4-00000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005428462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:22.633{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:22.633{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:22.633{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:22.633{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:22.633{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:22.633{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005428456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.289{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.289{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CFB2842D95C4477258A3253E41CF566,SHA256=75820C475A093955E57BECF5877EFBFFE457504B2164E6BBB5BEEA8D11F66DF7falsetrue 11241100x80000000000000005428454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.258{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.258{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAAD449E7883BDA20D91121FDEE792B,SHA256=F36A6DB0C3E88B49C2A2A43A93664E0281C2159A663DB5A7F2816501D1058256falsetrue 11241100x80000000000000005428452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D1F7AB8F0A2BE14407A0A9F0755772,SHA256=7BBDB9A900EDD76343C9A07AD5E25CABCB88C2B9BB59BEB51D9DE13E3BA69F7Bfalsetrue 534500x80000000000000005428450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.086{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005428449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.086{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005428448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.086{4DF467A6-FD05-6138-26D4-00000000F001}80523164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.086{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:22.086{4DF467A6-FD05-6138-26D4-00000000F001}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001535501Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:22.135{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48F5AC4FB2A660A91DEDCAD115E4AE8,SHA256=97E5D19954E641CCC9B3C95765D7BF8C26362BB21035654D110CE250D47E8A98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535504Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:16.909{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60628-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535503Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:23.253{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7067FE39D31BFC90A655471AD95A890C,SHA256=4555EA765C02B2AEECFC2244D00F89F2E236DCB3EAB1F3E63B591966D4CF5F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535502Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:23.137{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0189E1CBC305666D106C744F6CEAF562,SHA256=2EC38651796D24B4468D404885BA98C000CD507FEA37C3E4DAF827C9F22C8EFB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.805{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.805{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B4D00F39575064F77EBF42F972CFE24,SHA256=17C956C2B68CB2FA6BB7611FA9F0C0C1BDE5B3B6C1A383BA21D2B208ACC46D1Cfalsetrue 534500x80000000000000005428570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.461{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005428569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.461{4DF467A6-FD07-6138-28D4-00000000F001}65043716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.461{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.461{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005428566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.445{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.445{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67860277EAA61241EF414B438AD3AB9,SHA256=4271AE0F016E4BBEC826012062C4256C17F6A2052FDAE3F0CEE6C2635F5F1E3Ffalsetrue 734700x80000000000000005428564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.351{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.351{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.351{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:23.351{4DF467A6-FD07-6138-28D4-00000000F001}6504\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005428560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005428558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005428553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005428540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005428538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005428526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005428524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005428523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005428522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.336{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005428521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.320{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005428520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.320{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005428519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:23.321{4DF467A6-FD07-6138-28D4-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005428518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:23.320{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:23.320{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:23.320{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:23.320{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:23.320{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:23.320{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001535505Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:24.139{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58CDAB1341733146916735426F24BA0,SHA256=06181A435AE261E61D05D9BC7F7B836994A3F189FACE570A14E274E4E6F7F553,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005428693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.836{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005428692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.836{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005428691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.836{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.836{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005428689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.726{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.726{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.726{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.726{4DF467A6-FD08-6138-2AD4-00000000F001}2772\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005428685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005428683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005428678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005428656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005428655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005428653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005428652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005428651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005428650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005428647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005428645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005428644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005428643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005428642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005428641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.711{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005428640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.696{4DF467A6-FD08-6138-2AD4-00000000F001}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005428639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.695{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:24.695{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.695{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:24.695{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.695{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:24.695{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005428633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.430{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.430{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B7AD866A22A0F2F27C519F085415A3,SHA256=66FAF3ADE430F07239B010BF69307493EBA98759A1E15A6C6BA4A135847411D8falsetrue 534500x80000000000000005428631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.148{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005428630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.148{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005428629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.148{4DF467A6-FD08-6138-29D4-00000000F001}18607804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.148{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.148{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005428626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.070{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.070{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62387DDDCE159867E48415E8B1C2F897,SHA256=278C20DB2719CA7F52BD2CB8DFFCA42D75D27D2FF97F452EA70F6F1D4B3C5AA0falsetrue 734700x80000000000000005428624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.039{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.039{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005428620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005428618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005428602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005428600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005428589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005428586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005428584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005428583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005428582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005428581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005428580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.023{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005428579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:24.008{4DF467A6-FD08-6138-29D4-00000000F001}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005428578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.008{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:24.008{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.008{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:24.008{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:24.008{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:24.008{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001535506Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:25.157{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B994017F07711E6BE010CF14CA65A2,SHA256=DE770AED9B563A0BAB4440E84B5C1D17C6F800F7C0A4EEF5C63143A59BD7267F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:10.676{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63384-false10.0.1.12-8000- 11241100x80000000000000005428760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.461{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.461{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BAEBE88918138330CAF00C50384ABB,SHA256=D39CCA186A3D795B17E6821DFD833F3964F1689807D72D33B71F2FAA5837D060falsetrue 534500x80000000000000005428758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.430{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005428757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.430{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005428756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.430{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005428755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.430{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005428754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.383{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.383{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FFE4C8E5DCEEDB89DAF86B82346DE621,SHA256=6E308B908318326FB216AEFEA0BD6C382D3260D36FD2D726FB6655D045F591C0falsetrue 11241100x80000000000000005428752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47D3B2815E7F75A488DC56B9BE5A8B79,SHA256=E7141CB936F882F217B5540CA7866ADF8093F9089BA6B9F585D3410982891262falsetrue 734700x80000000000000005428750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005428749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005428748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005428747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005428746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005428745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005428744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005428743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005428742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005428741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005428740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005428739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005428738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005428737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005428736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005428735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005428734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005428733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005428732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005428731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005428730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005428729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005428728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005428727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005428726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005428725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005428724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005428723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005428722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005428721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005428720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005428719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005428718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.305{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005428717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005428716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005428715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005428714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005428713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005428712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005428711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005428710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005428709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005428708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005428707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005428706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.289{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005428705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.285{4DF467A6-FD09-6138-2BD4-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005428704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:25.289{4DF467A6-3F58-6132-2600-00000000F001}2848\lsassC:\Windows\system32\dns.exe 18141800x80000000000000005428703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:25.273{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:25.273{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:25.273{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:25.273{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:12:25.273{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:12:25.273{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005428697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.273{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.273{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5A244BD96981C56F98F6166D3FDD747E,SHA256=8B36526DB2EE89A57777570CC90A6EA74D55C6145348D9532917245A6862DB9Dfalsetrue 11241100x80000000000000005428695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.023{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:25.023{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05C7E5DBFDC2CA75E3A2A9D4C2C08638,SHA256=BB87C46DB1CD4E0792E5F55F97101B4DF4AF35D06774E7240A743021DDD809B8falsetrue 11241100x80000000000000005428767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:26.492{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:26.492{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AF07967C1D8FD5418886D47567192F,SHA256=7DC71BEC9E72DA2534851016DDCF0E44D629B962E2BA9D28080AE12D83A9A068falsetrue 23542300x80000000000000001535507Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:26.160{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA373390B8880E5C1CBC3E59F5C3B674,SHA256=279DA397E7F1AAB10B2601B2A3093FA277AD0C99BDFF7D1B64EB013DD8A9396F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:26.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:26.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=310547304F5983AE3435EED10E91317D,SHA256=230AE4C664B0416F2907746A06227B1B095974A3CD9D53D7ACC8A8C44A7983CEfalsetrue 11241100x80000000000000005428763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:26.148{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:26.148{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=670971079ABDBDD5BEF5EB45B75E9ECB,SHA256=748BDF01EBE3F7F842CC664E65543EEAC0389A16C5DF8AF9CE5F01CB1E99E884falsetrue 11241100x80000000000000005428771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:27.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:27.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EADD22E8E79031D861B70D6E99CCA01,SHA256=3EDBA8CAE1FC7FA328027F39C4EBF307D39BCFC198054347C3FF5BCE1430F269falsetrue 11241100x80000000000000005428769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:27.553{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:27.553{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C27323CAE7E9503A6B970F23328EB0B,SHA256=4E2C332345037650EF0E046B8C874C972A9ABF1664C1786052093CA0B7A09012falsetrue 23542300x80000000000000001535508Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:27.163{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2FDB3E08BEA80B6EB7C247A342EAC8,SHA256=B209D34EAB7A3E833525D6D6753BDC6A63DB6E691DF689E049D1991660AF7827,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:28.600{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:28.600{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC3AC532728F6AFEB42CA184B2B5E53,SHA256=5025DA6CA9FE08D1128E07035CD0D096A3A3C3717A59478D5EEFAB5569880C87falsetrue 23542300x80000000000000001535510Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:28.568{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7170MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535509Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:28.165{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC1577A119F11C01ECDCA6D8F9EE3FD,SHA256=877493E976848BA824538DFB799421B7FA3D4BA920FF006FE98ADCE0BF0B6919,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:29.631{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:29.631{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9DBE9C7B4EA6940799B2A8731FACFD,SHA256=B8A8BDF266F6C8FBF8F99E6C46938A3E8F6EE416E2489685ECBB5DEDA7AB3864falsetrue 354300x80000000000000001535515Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:22.674{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60629-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535514Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:29.573{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7171MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535513Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:29.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79DF5C0C08CF8DCD70E1B8BC034265B,SHA256=C8E88686BCD2F965D5BA492BB685BA7D49EC69E899527F38F24C09E77613E94E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:29.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:29.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B29FD0E0F4E35D54199BA79E231A5B72,SHA256=994B8F40E1CB20C65539817C3FEAC18144B02EBB9102937F0E58AD692A9BB62Efalsetrue 23542300x80000000000000001535512Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:29.018{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FC37A9DAE9A28F70758A396FCB08A5E,SHA256=C841903A0C754C376E1F0E89BC899357CEE3650B99C2364FE25B0F088024ABFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535511Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:29.017{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=443108A683C762C32E88A5657A913E06,SHA256=BD2BFF0B991C318B13E0334097533A1FF669991E3975D2E7A9EAC6109B340589,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.709{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.709{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149F199948BEE772547E7CCAF56868A1,SHA256=26FEDC785968A1200D5AA2877F4E331DCDB4EEEE929BDFA0ED12F369FE66C785falsetrue 23542300x80000000000000001535516Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:30.171{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF439ACC3BA3C0B330780014EB781FE4,SHA256=2F5E7DE5FBA0B5225F25508BE4CAD72D0EC01813AF2EA5D786170E69C5EABA89,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:15.908{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63385-false10.0.1.12-8000- 11241100x80000000000000005428783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CB8AAEFCCA55399D8F38E3C89DEF6A57,SHA256=54DC69DC5EF006F59C2B842B47C2141B5110909C331062977B65831A8F144B23falsetrue 11241100x80000000000000005428781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=245472076015579A99C6B8F1C43E2691,SHA256=FBF7DAAF3150721DA24DE770E38804B812A3CEDEB0211EEC8162BECA64021B68falsetrue 11241100x80000000000000005428779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.241{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000005428778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:30.241{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FF3EEDA58A4058B3ABC945652FF65508,SHA256=713CC2391ACD62E62D5DEF8BBB00C4FA1FAFBA5F09DFD274E5B951C17FE52275falsetrue 11241100x80000000000000005428790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:31.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:31.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C083C6E90FD28CDFA2DF06F9F79E70B9,SHA256=84E18E2EE6191B9B18C22FEB087EA2F8EE1FAB2CAFF250CBEE8A2FFB5025A232falsetrue 23542300x80000000000000001535517Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:31.173{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22259461693C363B6A844905A3322201,SHA256=6C6863392451EA0E00FDBFF1D8ECA15B2CD2C9A4AFA2ECD983CA057836B491BE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:31.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:31.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=091C861877C19D3AAE8B8A065150311F,SHA256=385B522B6754B3D0247C7CAA30E3679BDCFE4AE144D51166B054830E09349E1Dfalsetrue 11241100x80000000000000005428792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:32.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:32.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748E0B647C64625962977816228A7710,SHA256=14F0182B132EF251AD2EE0AD0D11E7F5D592A4DB3C5AF911E358A1D79A1EF65Afalsetrue 10341000x80000000000000001535527Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.607{AEE49BD1-FD10-6138-35CE-00000000F101}37885936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535526Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.491{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD10-6138-35CE-00000000F101}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535525Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.491{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535524Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.491{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535523Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.491{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535522Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.491{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535521Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.491{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FD10-6138-35CE-00000000F101}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535520Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.491{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD10-6138-35CE-00000000F101}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535519Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.476{AEE49BD1-FD10-6138-35CE-00000000F101}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535518Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:32.175{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841820465FD9AC072819D81ADCCFE629,SHA256=CC219466900DA3247DE4E9C2325F7DDC231F902F237ADFC33AE30B5DA8B90595,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:33.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:33.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807FB9B72E495E627A4D23B8888E1B47,SHA256=F2E17D52A4706E5D53D23EA788D5A7BB95E5065364CDAB5B014880E28C2CEAEFfalsetrue 10341000x80000000000000001535547Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.978{AEE49BD1-FD11-6138-37CE-00000000F101}3076288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535546Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.862{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD11-6138-37CE-00000000F101}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535545Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.862{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535544Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.862{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535543Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.862{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535542Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.862{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535541Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.862{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FD11-6138-37CE-00000000F101}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535540Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.862{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD11-6138-37CE-00000000F101}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535539Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.847{AEE49BD1-FD11-6138-37CE-00000000F101}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535538Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.708{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FC37A9DAE9A28F70758A396FCB08A5E,SHA256=C841903A0C754C376E1F0E89BC899357CEE3650B99C2364FE25B0F088024ABFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535537Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.325{AEE49BD1-FD11-6138-36CE-00000000F101}32845808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535536Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.192{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD11-6138-36CE-00000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535535Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.192{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535534Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.192{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535533Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.192{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535532Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.192{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535531Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.192{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FD11-6138-36CE-00000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535530Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.192{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD11-6138-36CE-00000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535529Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.177{AEE49BD1-FD11-6138-36CE-00000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535528Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.177{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E79F8257820EB8E49068734E2142E68,SHA256=27AF8431588634130E30923BBFA1B0DA1D44446BEF683CD5CB31BC719523AE75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:34.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:34.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCC7C1A7E5427C7450BE65DE92CEF10,SHA256=FDCCF717A0D8AF276335E207F65B990C12691A4D176ACCCC335C94784CAC4A66falsetrue 23542300x80000000000000001535549Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:34.894{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81B550623355EC2F1A680B048A0053D2,SHA256=ECBE4E9C2CF667C1A7A83D6B5F2316A92F13D70C20CBE623A73708735B0C6546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535548Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:34.178{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58824249C13D479CB32695F197928961,SHA256=E2DF5F016FD45E25850A3CD2EAF6C601448D0EC9C51AD1256BFCC80B40163CBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:21.830{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63386-false10.0.1.12-8000- 11241100x80000000000000005428806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AA483B347BBC3A7135B17EB0E4151B,SHA256=8F076DEA5654419D6D9CE1437BDD3804CC1761EC7E7072B43BDA9E4BEF2C3BB4falsetrue 23542300x80000000000000001535551Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:35.179{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42FD0C94911772E07C0CE543440F6496,SHA256=A254BFEBF80F806B571B3E8F76A44EB60FC371B7AD8EE6928B890684FB174DF9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A1C6F32E541EA23481D456AF7CF9593C,SHA256=36567C1055A749890EE5222B7F0F15C61E42CF71E909C3ED9C0D7DFAE879597Ffalsetrue 11241100x80000000000000005428802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F0ED60E578D40EB4534A81F420647240,SHA256=D3474CCD3182BC527E7A57315EC0115B85E82EDF1ED460B7C1C7813884C0F3D8falsetrue 11241100x80000000000000005428800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDD69F36ABFC38B64C891BF496F0D602,SHA256=E86B85DDE036B3B1B8D73A525C3A26E330812F4EBB40C0E45639B1F4C4246070falsetrue 11241100x80000000000000005428798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A042C7F62413258DF55C8379CDE1411,SHA256=039F8977C0F85F14BBFEF0A15284D71B29834EBBFC58C79CE55ABBCFDC7DE608falsetrue 354300x80000000000000001535550Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:27.823{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60630-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005428811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:36.975{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:36.975{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056DF49AFA4875D4E1BA90E4A932A57C,SHA256=9744A8ED93FC243258B9D580FC4027E0A6DEA74F36C4D9F91950BCACF13C073Dfalsetrue 23542300x80000000000000001535552Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:36.182{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE54066A7E9F2FDFA2DD415A2A7CD20F,SHA256=741B558FEBB851C02E3E433E84217CBF5EF340A5FCF3C6C85106E183A663844A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:36.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:36.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5F021F043904B5556C532EB55E3E4B55,SHA256=EA292E5CA143A727EAD168AE0A7EAD3B42ECF1474C2B1D0533D5101BA81FB633falsetrue 23542300x80000000000000001535553Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:37.185{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D123E537D767D9D74D2D61DC7DB01AA3,SHA256=AC4D145A3AB7EF83BACD1628AA3A3E8D0C55A44F9179717A603830CBBF82E4EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535554Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:38.188{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EEDD5CF59A0B4B31DE90F4AFFB0E906,SHA256=BE191175C0314F95220A5537FFEE50CD5AE251ACF479068A3C8B6B3A9809A3E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:38.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:38.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6458095C98A9F5EC1FA81818E25F66,SHA256=F5CEC19666F22D0A777B205C486690BBE4761881E64E32A517B686029C60DB9Cfalsetrue 23542300x80000000000000001535555Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:39.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96B5E629F298C57AEF84B6B5D352651,SHA256=8C0C7B073BDAF1F3ADA86C42CC41C9B6023654A1CEE13F8D7A6CC462241A1F3A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:39.053{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:39.053{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97107FA704170C9024FBA678462EC3A4,SHA256=4F1C8468772EFD4165F4D271DC40C68EB6AAE96949E807019E0E8ED6B89B8D86falsetrue 354300x80000000000000001535559Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:33.749{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60631-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535558Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:40.192{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53153F7715722FD59F01907004C9E3FA,SHA256=288C0B45FB40CC9F631D6C6AA2EF7EA54541727C8D43D8F2D6F8B7D88DC6DFCC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:40.522{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:40.522{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BCF1EFE799A91D33CFE06BCAD228DFE0,SHA256=475619160CF51D24DE2024D2EBD93CCA8F0126D7AF7B4D0D1FFC5EEE086EDF44falsetrue 11241100x80000000000000005428819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:40.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:40.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B840AB0986551769FA3F88CBAD6326DB,SHA256=5E973A45CD693D4F348A796CE476B4916F27701B71E08BE163986CB2816A905Afalsetrue 11241100x80000000000000005428817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:40.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:40.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A979B4B47B82261C7B43F962E2E8C3,SHA256=9662843B6B5EA3F65FBBC2C9C7A3EEBC7163ADD6EF5C0784A6DA0CAA11F617BCfalsetrue 23542300x80000000000000001535557Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:40.123{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8C2F6A3F5259204010413A37E356BB,SHA256=7DC8513993593A62E553139E0E686B73D817B9F8E721CA96D9072427DF46095F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535556Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:40.123{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA9634996EAE0522CB949E1443B07438,SHA256=1B1910D62F191E1B6A0AC72BA3330451FEBB5B5E98994DDCB2BAB99D20CEA4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535560Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:41.195{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE3E35B1EDD09B30EFE1B169FE9D9FF,SHA256=CCD9D8E0C882943CA1AA2A50E9754227B171C9F6AC66CAFD7BA13CCC747E312E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=133845594A5D919F7CDADFA52AC2AD92,SHA256=61FDA2EEDBF0D436AD06E87E8F090FB94A0F9282E537218162C90982CE1D0DB4falsetrue 11241100x80000000000000005428827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8B66CC1C41310A47FBCA7391CC5D5C,SHA256=0469783620A1FA7BFD494D8D4617D44DF91FA03B71CC48FD1111ADCCF12B072Efalsetrue 11241100x80000000000000005428825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDD69F36ABFC38B64C891BF496F0D602,SHA256=E86B85DDE036B3B1B8D73A525C3A26E330812F4EBB40C0E45639B1F4C4246070falsetrue 11241100x80000000000000005428823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:41.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB590334A75BB34A0B242D47CBE26F6E,SHA256=059E9FF67405E3180F1F8C87DFF14984C81BF465D810B1AE5D4F57E9E02EE9C9falsetrue 10341000x80000000000000001535569Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.885{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD1A-6138-38CE-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535568Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.885{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535567Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.885{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535566Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.885{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535565Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.885{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535564Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.885{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FD1A-6138-38CE-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535563Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.885{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD1A-6138-38CE-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535562Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.870{AEE49BD1-FD1A-6138-38CE-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535561Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:42.198{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C7377A14FD4A7D7C225C57EEB93633,SHA256=C53AB1DF24830306A6E6EEE48CB797D2A2BE4B3042B11A27BEDC405AA46B1777,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:42.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:42.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8B66CC1C41310A47FBCA7391CC5D5C,SHA256=0469783620A1FA7BFD494D8D4617D44DF91FA03B71CC48FD1111ADCCF12B072Efalsetrue 354300x80000000000000005428832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:27.861{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63387-false10.0.1.12-8000- 11241100x80000000000000005428831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:42.131{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:42.131{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015FFADBD366DCD0690D66B6D22ED17F,SHA256=EA067CDFA159F9F7097B17E4949A3CBF2CD56C40D3DD6C8957FBA2A7739D25F4falsetrue 23542300x80000000000000001535571Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:43.887{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8C2F6A3F5259204010413A37E356BB,SHA256=7DC8513993593A62E553139E0E686B73D817B9F8E721CA96D9072427DF46095F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535570Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:43.201{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127E0F2D32051C1FF34ED5DEE5F98007,SHA256=33F3F152B7D459015DD9BE9569C55484B357C7EBB5EC46B057C2A682564AB2F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:43.162{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:43.162{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5EDF74BDC5C5D52EEC2272E13148D8F,SHA256=F641918456D854B18B17C6AF495F4F49408B14246354A10EBCEC98873B874080falsetrue 23542300x80000000000000001535572Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:44.204{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63AC31E3690E3CE36BC2D30B0F4964F8,SHA256=CCC9D28B2CBA20790BC9C23680FDC6489BFF6293432FA934DEF795452C35FA5B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:44.178{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:44.178{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6294EB95311E50601A783646E1C32CD8,SHA256=06E7981BCB0B2A4CB6A637CBD78CCD846219A7157F28CEFC31B18C4F725BC83Dfalsetrue 11241100x80000000000000005428844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:45.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:45.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C985F9617AC9E520087E8F2F79C9A16B,SHA256=2F222E895590EB9D6B80C7C5C90D7C1BA987B243BF59A9F2EEC9CBF85870337Afalsetrue 11241100x80000000000000005428842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:45.475{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:45.475{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=69986431698E3207BE00F21EDAFBE6E3,SHA256=DBF46817616D8FDF8964F90FF9A96DCAE1D331FCEDB84FB7197BD24AB57717A6falsetrue 11241100x80000000000000005428840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:45.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:45.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2F3D1119870944F728233117C386F0,SHA256=2869B98C3E210DF73268345D413EF4A10651881AE33EE25933FFEC19A699FCDBfalsetrue 354300x80000000000000001535575Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:38.762{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60632-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535574Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:45.207{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD357E28D8156EA9BFCCF1DAEFF54F80,SHA256=FBB760CD2433973C6971D5D84694FDB390B90C22DB8C707D074DBF2E8548BAA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535573Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:45.155{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB04D320738B9002802A152C8DE5C2C8,SHA256=9C51E5AAE49EDD4EB37C96A516FF0E77D4B674B9BBE8AA81911F300D47834E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535576Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:46.209{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46764FA6C23D20A0625D275BAFAAEA26,SHA256=2AFBE3236C10335995F12B953E400958CF1352139D16FD751CE115E5780F5A45,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:46.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:46.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D44F2FAF762CBA157657171402FD6959,SHA256=87A9566D4FCB1709A81C5A6A93470176801ABE7DF371EFF5F60EC7F242BEC715falsetrue 11241100x80000000000000005428848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:46.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:46.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681AF0CB293FB38D97371BB89BA24EF0,SHA256=039C2C4635D9B5FA4A698C1B727A39BAE6921A8ACA1732D233BEE920826DE1F5falsetrue 11241100x80000000000000005428846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:46.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:46.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AFEF0E9A9B15961F5FE9A559D8B3B43,SHA256=27E763DC23975E1942927F142C88C983E8E88D1C72613121A98BA74828C26B9Cfalsetrue 11241100x80000000000000005428855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:47.637{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005428854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:47.637{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 354300x80000000000000005428853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:32.892{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63388-false10.0.1.12-8000- 11241100x80000000000000005428852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:47.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:47.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4D1FB1C62A35F60A1B56850059EAC6,SHA256=0C7B369EECAD6CCFB77F0D29B94ABCFAAB1A2054864A8DB1B714B94BB8F4632Afalsetrue 23542300x80000000000000001535577Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:47.212{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE16698C02D77C7E765DC5AF87063EC,SHA256=FEA02029C8E1B0D0048E2231F85242612CDF27896C8380F5CF4C041BA212EE08,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:48.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:48.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E536AA6742B892AA9186922CC900E4,SHA256=72D773B345977957965E54EFC3DFCCA8E7BDADC8E3823F782EDA5E606B6956B9falsetrue 23542300x80000000000000001535578Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:48.215{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9635F48E188B172A85035220B78289C0,SHA256=7560EC2A20F2445DA013F4F016DA27B24D1CCF39B36FF42AA4AD08146382B0B0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:48.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:48.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE9E60807532A9BA7862B70B7C71708C,SHA256=9A3EB9A7BF8E07DAD24348447F8AAB6A1BBBD8B8F2B39A049E254CDBA525A51Bfalsetrue 354300x80000000000000005428862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:35.273{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63389-false10.0.1.12-8089- 11241100x80000000000000005428861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:49.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:49.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441ACB2038816A94208172E4F87AB006,SHA256=A15CDC00989B1576EC8885CB10436593ED59A6EE5ABDB6A109FBF6295CE37BEDfalsetrue 23542300x80000000000000001535579Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:49.218{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86190ABF82779B234513DDB5BBA7F645,SHA256=DB9511E57C740D20417F259C3E6C9D8EFE0FC29B413ACA5F93D82A40CA6BBC29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535583Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:43.877{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60633-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535582Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:50.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A863FB3E465D89B8D9B9A4DBC7DBD888,SHA256=1943264A53D155F033F053EC2CCE14BD509F5CCB987686DF1F4F65C9ABBA5816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535581Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:50.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A42C9E9929F60FADBA504DCCCA88D9,SHA256=3F21F58C4B4D70472DB24B1F1103EB6788FEBCD18AB01AD1017E57A41ED77376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535580Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:50.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1015430F4825821135810F716F45A32,SHA256=38E3D8A961D66F55E4E6959C4386D0FBEEEDD4B64B11C0D2A949077FE01745CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:50.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:50.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A9F274EA9F76C4A6B2B3B13C62431245,SHA256=F3EA32C21FC4DB60F5AE9EA49EB66575550702030032DE162999B9DCD05334F7falsetrue 11241100x80000000000000005428866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:50.762{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:50.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A20E2F18E2ED770E28E5E4A3B18BE9E0,SHA256=115E362CEF046FC39EC2B03054A2304AA6BF3C411853826E90187FB1D4B223B4falsetrue 11241100x80000000000000005428864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:50.387{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:50.387{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DDED4E82EB3188A504AE32F749367D,SHA256=92319210785EE3D27AAC929DBB00A4C14B37758C364C2C874BAC842B76E59954falsetrue 23542300x80000000000000001535584Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:51.255{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0410EF908933461208F9EB0189B37B5E,SHA256=FC9FFB55A66FFC6E18DDA805AE711BFE6A5500449CCF0005162565DA76196C7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:51.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:51.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6944EF8ED648BAB3C2AE22422152B250,SHA256=9EF2B895E426AA8942CA18B2B6EFBDCC5B9A69F7460C431B9E890798EF2E70A1falsetrue 11241100x80000000000000005428870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:51.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:51.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1E702466177C95F54A7CA1BAE89449,SHA256=416221198D60BF1560A5C7FF30CBD7209DCE4DD96F6F1DA27BDCD1037F5359DDfalsetrue 11241100x80000000000000005428876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:52.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:52.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5335B3F454BA05A6B98B2114FE62F1,SHA256=BC97C81874223C76BFC560F55970DCD2A9452FF41871773AF2F3E38FFB93DA02falsetrue 23542300x80000000000000001535585Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:52.258{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97996D386C60497DC1C8C05E87C62202,SHA256=D47B90896C802EE410ABC980BA6EFC0AE77425D850DDF547D3AB926CC5C24E51,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:52.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:52.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6B42D54A45B0CD9CBD43AC80EF46466,SHA256=DAA575C00B34E670B9F427FE494143A31B7B1C14984D384298AE706271AF321Bfalsetrue 354300x80000000000000005428879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:38.663{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63390-false10.0.1.12-8000- 11241100x80000000000000005428878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:53.465{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:53.465{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919605144EA878B34D61BDB2EE2D5177,SHA256=C59F47A0912932A04507BF27D9F0C9268E9B15946AA8840B9B127CAE9FCD865Bfalsetrue 23542300x80000000000000001535586Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:53.278{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50482EAB0732C20B755986D2A3F2B29,SHA256=99B6F94DA02CF74F6EC0D16BBB8E7F4FC0242443A5E302A32E5136D3C6CAF161,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:54.480{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:54.480{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3673824A2F0D2C1D1342893A65D024B1,SHA256=60BDBCFCE32044FF52CDDA116BE9CFECF9D8D87E865B9545B8EF7019CA114BA5falsetrue 23542300x80000000000000001535587Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:54.284{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3644798A4DC3A2FBEAA4B76FD1656583,SHA256=7984F1357880BD6FE66674EF38315FD59930CFC9374896B4979C447F660B0A59,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:55.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:55.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E6149CB5CEDE09B783B7EB32BFE8B718,SHA256=F3B66B0B855738AA77BB96407AF2BEAD901DF02B778CCB699582BF82EC068706falsetrue 11241100x80000000000000005428885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:55.559{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:55.559{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=98022B1734D4E3229ABC7E99460E1A9E,SHA256=274F76696539F3CAD0E3971C95EEA056A297CA2DFDADFE79F22FEAC5CD959E19falsetrue 11241100x80000000000000005428883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:55.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:55.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2149CA48289B0D81100BA59B8D83F760,SHA256=918B03031A84B442C819A55ACB8B062548222CD67EC80139E49E0EE28236DAFDfalsetrue 23542300x80000000000000001535590Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:55.287{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F4881BC041C0487CA905B2124EDE69,SHA256=C5B6E4789E52CBBC293B989A1812C53FC9C5949A88C841896B09A001FE3404DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535589Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:55.235{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01F3528F463BDC206504A32E1293A46E,SHA256=6A03FB4CC645FCAC2394E3CD1674EEB81E1CD75C08C666F6460E459678669DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535588Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:55.235{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A863FB3E465D89B8D9B9A4DBC7DBD888,SHA256=1943264A53D155F033F053EC2CCE14BD509F5CCB987686DF1F4F65C9ABBA5816,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:56.543{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:56.543{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CF97479EF4E80A91C1012948305E44,SHA256=EBB2F66A9A87CF1279D1B985558765F40EB1FA55AC89031B563DD4A8C86086E8falsetrue 23542300x80000000000000001535592Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:56.306{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5D09D4AAD21E766328E75FF1E34669,SHA256=2D2E1D1F79F271884C7302FDA9DE4B351919EBCF8B6FC65827E884AA969A0D0C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:56.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:56.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FF93E635753B9A5E5FCA0F985EE975C4,SHA256=35179DEA66FE7BE2AF5EAF46E7F81D0391F19896DA7CC426280829ADB239DE5Efalsetrue 354300x80000000000000001535591Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:48.891{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60634-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005428895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:57.574{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:57.574{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EAD3C79A573F29B4DE0E5E7BC6C0FE3,SHA256=6D70FC1C529DA3A917EAD58425673C7B12E28DBEBD6D378D268ECE51523BCA89falsetrue 23542300x80000000000000001535593Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:57.309{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28DB5728C9E2A7B926D7CE12B410272,SHA256=3EBDB93D1D08AB7705D6B94C3D5432B245D13687D12924F882DD1DA2D947C6B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:57.121{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:57.121{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F64CB6304F92769E8CEEF784C5ED073,SHA256=DC86B90D72520BABC2070CBE6999B4AC71325B1D9652972D053D2FD16C9E8D04falsetrue 354300x80000000000000005428898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:43.741{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63391-false10.0.1.12-8000- 11241100x80000000000000005428897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:58.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:58.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77FBD47FC388C0E671EE8B05996989F,SHA256=67E1B907147833325C5D6A3436341FC40A3591542F7E1892537BFBD5F1D3C81Efalsetrue 23542300x80000000000000001535594Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:58.328{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA8D4E9ED43CDB73F8DB36C4643ABBA,SHA256=3B22DE256F9D9A127459634BF4AF55219E1BFE09A8432A7DFB141042CB2C1C3C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:59.637{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:59.637{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AD116123300B4CB6D36237AF9731A1,SHA256=EAC738B17CC154A3F7BED82937DD1B28D8984BDCF79EE8DD07AC16ACC825E1E4falsetrue 23542300x80000000000000001535595Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:59.331{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855EE0D8285E5D1A32CD8C628A8F2207,SHA256=7F2E9860E06FFAA4BF6F97DFB3E4EE8FF27EAC8B1EC3B8D56BC3F05907822FA2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:00.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:00.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=130DAFF61192BB721A38361B71850A8F,SHA256=E4DBE7DA83B61A25B6820E4A72841BEF2CDD916931144730DE1326156AF32E29falsetrue 11241100x80000000000000005428904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:00.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:00.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FF16C83DCCDFCAC224729C10093279AD,SHA256=9A7611E88ED4B822D821A96BEDCCE3F64461ECD71784F227AAA1257518FAAF43falsetrue 11241100x80000000000000005428902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:00.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:00.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6992FFBE49CE88B8DC549520CD8A6DA,SHA256=23202A966FC3342348237F2FBFB9BAFEC09004BE5A19437A6F3BFFCAA98D5D24falsetrue 23542300x80000000000000001535596Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:00.349{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7E64D0D71D33431E124CCB0F5939272,SHA256=802CF35C3A02E3850AC4061BC1E2A605FB1576E78FC7E29304836BDBC97A1649,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:01.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:01.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEEFEC873C1EADB6A4B6B9ED58E4A92,SHA256=896BDDE26608E71BD5C2B90BD597A17391FDB20C7F7BDACC8C66FB20ECA3D81Dfalsetrue 23542300x80000000000000001535599Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:01.352{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081E30F6C9E92C612D205CB40578902D,SHA256=C48AB094C980C9499265D84D16F627DC0814CFFFE2BD1857BD88CC5AD5265FBD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:01.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:01.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A4C439CB4DABCA005379E2EA482F7E40,SHA256=3AAEF556DB01C4A594482FEAC182ABA5C7A1862F35B1D63FFA49AF7B05A21288falsetrue 23542300x80000000000000001535598Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:01.151{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F6FC53918260C82EC35E965464E5AED,SHA256=8A10148E37291E988947366B07A04903861D967C56D788A6475C6D6ED6CCCC73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535597Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:01.151{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01F3528F463BDC206504A32E1293A46E,SHA256=6A03FB4CC645FCAC2394E3CD1674EEB81E1CD75C08C666F6460E459678669DF9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:02.762{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:02.762{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D681E35C350DD0D4420A729628F4BD,SHA256=6AB89CEFE1A46D76AEF78CAAB3ED256B397E8023A94642AEEA424A33C5BA4E90falsetrue 23542300x80000000000000001535601Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:02.355{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9031B13E9DA10D99BD94701A2051B3B2,SHA256=59B26DAFC53E132CF9D8B7E3BAF0875AE6AB371F7AEE834BCEC0F1A7C824E2D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535600Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:54.776{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60635-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005428914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:02.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:02.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69F983FB53473E955C26D5610BDD4F53,SHA256=B5A37EBCBBA046B7B417D351D00DC01EE4C39D18AB950C67C384BB27C82A9169falsetrue 11241100x80000000000000005428912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:02.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:02.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71AB85CBAAC033A4106F396A788A4E68,SHA256=21D72030C591EACADA634397309218615E8E0B4F72F0FF766F500CF14E9B9EB7falsetrue 354300x80000000000000005428919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:48.897{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63392-false10.0.1.12-8000- 11241100x80000000000000005428918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:03.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:03.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EB8171EBBC738BF14799688FEC695B,SHA256=3C92F59BAD7AA12B652D268BEE3E70C0F5F949D23F633787B13BB5ECC32B4FA1falsetrue 23542300x80000000000000001535602Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:03.407{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFDAA1E1405CB4809E349D9E8C7F01F,SHA256=99B0E90C07DAE46251DA3E5F8BC81E033973E56FC6D8F87532DF23201A7B1B55,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:04.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:04.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E136C03D95F6BEF59218F5715C492C1E,SHA256=2D2F888D3ABE2DB7B8A6D45014AAA97BC151D9C576EDC8D3A28BCAA1D212455Dfalsetrue 23542300x80000000000000001535603Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:04.415{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED544DCDC5E425E1631C32B68FED109,SHA256=CA9147AA9321E612FC37272D3C3D069A8C4E84E3D59539A7B56D9E68E6250A18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:05.824{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:05.824{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB75D01F6E5CD1FA01E7091A8DBB838E,SHA256=641C7CE68A75EBC1A3A4CEFA0A4E20F385552892F94205E3B02734B02977143Bfalsetrue 23542300x80000000000000001535605Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:05.781{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F0074CC4CBF88373E4ECC5740C747077,SHA256=79A5A2B00DDE6695441907F52D07DB1F575C7DF9DA7758784B366CEB50296300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535604Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:05.433{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7905448584D26551F2AB81C47149E222,SHA256=9A75BCDB923A87ED00D94332BB8219C06FEAD3DEDAFD16472A41B99D80498827,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:05.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:05.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ED82E385731635512997350150B73448,SHA256=3EE29BE133C7ACDC009F03066F5B9A88F9EDCDA43689662A488DC29C53670669falsetrue 11241100x80000000000000005428923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:05.684{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:05.684{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1BDDEEABBC17F8534B9AFCE0972F448C,SHA256=7393874BEF80CF3CDEB82353964ACB74487BE3571238A6DEA55961B7DDAC63E5falsetrue 11241100x80000000000000005428931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:06.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:06.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE97C51AE725751B6972781982F96191,SHA256=080D380344FC995A23C785B21117358B3A0F2AB507AD9F704186B9CBB247A058falsetrue 23542300x80000000000000001535608Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:06.451{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17214C76FEB69518297BBC8F3C95AD4C,SHA256=65D4AAAF37404D6CBD18588B2F7E666F69E56A56962FEA1CE299DDE4ACBBBE44,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:06.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:06.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D0EBACB9D0EA306F6562C6B8AC6FE812,SHA256=1A9134C543EF4DE384EE922AAD75030941A21761B0147AC8DD2CB5126A37AA07falsetrue 23542300x80000000000000001535607Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:06.197{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A6BC1924696FA29090800A6E982D709,SHA256=3766A1B60C4A2C0E590AF4C310780BAE1155B2EB51EE47D9CCAA66704A80C463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535606Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:06.197{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F6FC53918260C82EC35E965464E5AED,SHA256=8A10148E37291E988947366B07A04903861D967C56D788A6475C6D6ED6CCCC73,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:07.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:07.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5717867B4ED46AB09CAD1E7D36B6D449,SHA256=4EDFF17BBAA2C2FCF0582F0389DF21707F4BA2F9BB22A6A57AB3C61D8AD3BFEBfalsetrue 11241100x80000000000000005428935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:07.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:07.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69F983FB53473E955C26D5610BDD4F53,SHA256=B5A37EBCBBA046B7B417D351D00DC01EE4C39D18AB950C67C384BB27C82A9169falsetrue 11241100x80000000000000005428933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:07.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:07.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466E220A4D457DC33CFDC9AA27869ED3,SHA256=FECBBBC4D2A5FED04C09F79C13F45C73A8505A5762659B344D179E822151CF05falsetrue 23542300x80000000000000001535611Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:07.638{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\datareporting\aborted-session-pingMD5=2E220FD0D2D5A54AEBA99F5F19B7BEB2,SHA256=19C1CF57A621DC7EDBEDF1E0B1B43FA2507DA88E06CE9E002C22D64C6E24F07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535610Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:07.468{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FF5231D7520648F2F4C5EEAC6055AD,SHA256=15392966456554BCBB65D4DFEDD483E01CECB31C5B41E958C81C03779D999125,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535609Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:12:59.821{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60636-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000005428940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:54.824{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63393-false10.0.1.12-8000- 11241100x80000000000000005428939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:08.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:08.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E30B0C744FAC7808844F37FC4F40375,SHA256=F1937058B5FE55CDBB02D77F6A949D6DA4EE9A282FD3EB5270414B39C6AB4EEAfalsetrue 23542300x80000000000000001535612Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:08.470{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBC02149076574F0F971F088212D801,SHA256=83FCF344E4CE7938450A3E511DBEA22E3AB18E9DF6F06ECCB47198741BAF4302,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:09.891{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:09.891{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF1C431D7F667933167B316C8A33740,SHA256=8C734FD3BF5A36676EF9FE5FCD4AB8AEB74DE9C9A5169AD14F353A656CF53ED7falsetrue 23542300x80000000000000001535613Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:09.489{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660C53C8DB34D9B8DEAD653743C6CA7B,SHA256=6B02927F0B46368B2B16C11EF8CB6D201FBC1F6E7707395FDD49E223C943292F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:10.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:10.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F0D4DED698EA5C359A4C0AEEDAC3C9,SHA256=D03023DE41D36464D9B393E5BDC002A4F87F032BD0787B750DDB05D7D29D137Cfalsetrue 23542300x80000000000000001535614Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:10.492{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB30752768F77D1354F80E09791477C3,SHA256=A9BA29A6402A30A8EA25DBF3BE3160C452FD62BB6DF3234AA9A3952F3DE29860,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:10.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:10.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9E5BEE410482E09F7ED4A149FE74C89D,SHA256=6FA9458C775BC466493E26633D390F025B6B8B43CC023BABA24665DEB9BA7490falsetrue 11241100x80000000000000005428946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:10.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:10.766{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D072BD44121B0CE777010B6FFCA8E87C,SHA256=B5E9BEC034B1833186838545CF9A21F4F01AEDE68A35007D5AB946A4D0CB13CEfalsetrue 12241200x80000000000000005428944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:10.220{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005428943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:10.220{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005428956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:11.923{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:11.923{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBCA5C35DDB721E34F2F9E0199FB9462,SHA256=F065BCBED3A289971C7363BEC6D22106BAAFA34D76269CE0F5FF9E8AE6627BCAfalsetrue 23542300x80000000000000001535617Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:11.527{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779507FBDF355308C3993B9C91B5B48C,SHA256=8D41CAB7AB5F09A56112BDE8EB80E791C3D04548BE05C327CC437BC4CD037BA7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:11.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:11.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6395CABE99EA936719FE9A8B9DD6EA4B,SHA256=BFA26076FA3D2380646DEEA2728946EA534E79E429D75A37F4B958AD562FFA87falsetrue 11241100x80000000000000005428952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:11.470{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:11.470{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5717867B4ED46AB09CAD1E7D36B6D449,SHA256=4EDFF17BBAA2C2FCF0582F0389DF21707F4BA2F9BB22A6A57AB3C61D8AD3BFEBfalsetrue 23542300x80000000000000001535616Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:11.278{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=053F3E8F21BC41AF90438948B105A665,SHA256=826BEEBAAE45778C7CCA9124F9F8B9C67BC55D548B69F46C2529DF3F2DB2D16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535615Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:11.278{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A6BC1924696FA29090800A6E982D709,SHA256=3766A1B60C4A2C0E590AF4C310780BAE1155B2EB51EE47D9CCAA66704A80C463,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:12.938{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:12.938{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD196D5E7B6C267D89EFB4C0DEB6E7E6,SHA256=5C53658C54F27777033A8D1C2BCB8BB1DA15FBF52584CC3D8A41209B3EADBDFBfalsetrue 23542300x80000000000000001535620Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:12.832{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=053F3E8F21BC41AF90438948B105A665,SHA256=826BEEBAAE45778C7CCA9124F9F8B9C67BC55D548B69F46C2529DF3F2DB2D16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535619Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:12.581{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B509E9E8D689E37E3638C2E0A0541CB0,SHA256=EEE0E4986773195B83035E76FA7485B76A593E1E7A8D0D9C702633FFD53EC644,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005428958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:57.871{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63394-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005428957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:12:57.871{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63394-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000001535618Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:04.880{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60637-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005428965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:13.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:13.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A5092E669F8E9C66BF39B7FFEC8086,SHA256=F91FE72C2FD80A9CC3D0A4ECF014AB0DC585FD512222C1AC659FD3FA092BF88Afalsetrue 23542300x80000000000000001535626Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:13.600{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97C688668D2BB6C87967E629AD6AC5B,SHA256=EDFC6276417259F0A817591A2FCB25D1D16DE8B2668689875316A84D7C794F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005428963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:13.598{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7180MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005428962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:13.597{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71802021-09-08 18:13:13.597 11241100x80000000000000005428961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:13.596{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71812021-09-08 18:13:13.596 354300x80000000000000001535625Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:06.591{AEE49BD1-415D-6132-3A00-00000000F101}2480C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60641-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x80000000000000001535624Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:06.531{AEE49BD1-415D-6132-3A00-00000000F101}2480C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60640-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x80000000000000001535623Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:06.485{AEE49BD1-415D-6132-3A00-00000000F101}2480C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60639-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x80000000000000001535622Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:06.484{AEE49BD1-415D-6132-3A00-00000000F101}2480C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60638-false169.254.169.254instance-data.us-west-2.compute.internal80http 23542300x80000000000000001535621Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:13.034{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:14.952{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:14.952{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C14774B284064E55AF5EBCA6F692B81,SHA256=97C33D4DE91F8C4E6185333D37FB0E7D4AF2F25022BA656C1A5417327254E8DDfalsetrue 23542300x80000000000000001535629Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:14.603{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90F76D2B357D0F6050997D6D7927C43,SHA256=6CB2FDE932F3FDE309C336E81B2213B6E5BEEE4F8980E141592EEE86310CD9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005428968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:14.611{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7181MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000005428967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:14.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:14.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=747FCA1619222C388733906F42475BA0,SHA256=DCC6829E81169642ABA69043FEA882071C23932DE02C77D878046710694F97C5falsetrue 354300x80000000000000001535628Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:07.672{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60642-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001535627Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:14.235{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3236A8E71027EC7EA3ED11772A5301FB,SHA256=7F3E5788A24DC95A2D42D2155BFFB4CF61AC21D34FED90CAD4C4F7120B37DE96,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:15.955{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:15.955{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA75EBBDED398CD9B28E7FCBC4E030AD,SHA256=338AC2C51844AB0B05F23BDD9D764F76ECBCC4EA9328EE0BCB058949F5C7BCB2falsetrue 23542300x80000000000000001535630Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:15.638{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2052EBC6A7DBF03DFE32BD564915950,SHA256=A8AA01A5793293D3EBE06753E62AE211ABD9B0A5AAB9E217833C924BC6CB35E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:15.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:15.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=65A54C0C608E7D319408E645A84CD728,SHA256=9A60F845E508E4E3851A5B0C3178198717C761EE2B2AF62AE4219EB1DB49DE3Bfalsetrue 11241100x80000000000000005428973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:15.830{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:15.830{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FD4594329F34F3688182D31C05A1B6BD,SHA256=9EAEA34B3E4EA858C5EEF7D3D9C6261ECD09D93BC950B7F84460C929FEE357AAfalsetrue 354300x80000000000000005428971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:00.730{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63395-false10.0.1.12-8000- 11241100x80000000000000005428981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:16.971{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:16.971{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF1F11129D148EA3B3ABF89E616BC2E,SHA256=8436BE170B62F97422283EC49B89B8F9AC92C375A2D697865671C1ECCDBE824Ffalsetrue 10341000x80000000000000001535641Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.994{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD3C-6138-39CE-00000000F101}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535640Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.994{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535639Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.994{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535638Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.994{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535637Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.994{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535636Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.994{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FD3C-6138-39CE-00000000F101}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535635Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.994{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD3C-6138-39CE-00000000F101}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535634Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.979{AEE49BD1-FD3C-6138-39CE-00000000F101}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535633Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.642{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F0767252EE3C4231B116922559201E,SHA256=DEE62730C1D592A63B5ED1A033E2823AE5B7E257A60BA57A861312232FE43DD1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:16.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:16.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F9EDA76CF222FA50B549E9AEBE3EE4FB,SHA256=DAB2C1019A70A4BB9BAB9558DBC76994035FAA790365941004FF53A8EBBE6F92falsetrue 354300x80000000000000001535632Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:09.894{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60643-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535631Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:16.241{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECFBF8CC3CB2DB961F958BBBD3BB4029,SHA256=7744A0F77A42ADCFBABC0B6B417482815FC04AD87D394F0B25D7F9C114FE7E90,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:17.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:17.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257EA8D58BEBF8145BD90A3A2FBF5AB6,SHA256=1C23AB732E74D1184F04B451E8E5A1C11E0397F748A3D748FD8129A3B3DBBD44falsetrue 23542300x80000000000000001535652Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.996{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84053A353AF05DC5B4FF48BC9043B9C8,SHA256=E44C43D1E41A771A3381246A30B6643AAD70925AD8166B4FE5BCD64089BBF41B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535651Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.811{AEE49BD1-FD3D-6138-3ACE-00000000F101}57323348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535650Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.680{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD3D-6138-3ACE-00000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535649Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.680{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535648Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.680{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535647Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.680{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535646Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.680{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535645Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.680{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FD3D-6138-3ACE-00000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535644Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.680{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD3D-6138-3ACE-00000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535643Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.665{AEE49BD1-FD3D-6138-3ACE-00000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535642Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:17.649{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68AEE2D9BCA6C960CF7EF96FBCBCDFA,SHA256=439C826DBCD9240E7603CD23DBEDF9528895C5BF2ACB26E91F60CCCA95248DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535661Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.683{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6669EA1AF97DE98CCC9DF8AF087D830A,SHA256=D337010632FCAD193BE6740ADE0695CF6D03C0DFA317EDF39B55F9925125F5FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535660Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.382{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD3E-6138-3BCE-00000000F101}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535659Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.382{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535658Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.382{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535657Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.382{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535656Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.382{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535655Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.382{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FD3E-6138-3BCE-00000000F101}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535654Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.382{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD3E-6138-3BCE-00000000F101}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535653Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:18.367{AEE49BD1-FD3E-6138-3BCE-00000000F101}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535663Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:19.686{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852D33980D365EC8E42D61D54EAE0995,SHA256=68204E6D74C0A121AD28259E9790B9561F1EC777FA6A6DB6A97FDE9A90883487,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:19.111{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005428986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:19.111{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=259B9569C7C7904AC70759F3C9C4188F,SHA256=19B96093A8D0A7963034FB879FB53ADC361CADB621B926FE1B6C7D0036F3D9C9falsetrue 11241100x80000000000000005428985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:19.002{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:19.002{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56773A7E1CBBDBFA58C1887BB4A5E7FA,SHA256=6F34A3FEC019106F1D4E7F20A487A5FF698AAFD3161C729EDDA648F488B40845falsetrue 23542300x80000000000000001535662Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:19.369{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=188FC702E12A4BFB48916D30B71AFDB4,SHA256=B0244FEA54C6C48BD8CDB3D476CA2D3DCC0671086F02D9C44273C5247F2BB1FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535664Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:20.688{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7D01432576096F7CB778F1BB70DFCE,SHA256=9A963C3F35BF0DFCE991F3C8EA247E9B9DD935ED719DB796A7E4D1CF305D9C8A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005428994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:20.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:20.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EC6BE8D275C389D76DD07B7D68BC01C3,SHA256=BC4836BCE8A805AB0AD4CF125FBF50B61F337633A32103A1E189FDFDCB1664DDfalsetrue 11241100x80000000000000005428992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:20.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005428991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:20.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0A572F9E37DE194418D97F728313B717,SHA256=A3163AA053F6DD2E7CC22A96AED26D178E31B5FB5E3CDF24C593C2B0C615994Cfalsetrue 354300x80000000000000005428990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:05.747{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63396-false10.0.1.12-8000- 11241100x80000000000000005428989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:20.018{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:20.018{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0E108923F0833EED0533E66CAB9DE1,SHA256=AE130C17A4B1B7D7E7C9E2CDB2C1E1A3181617120BC880A55C8335DDA21B3B95falsetrue 23542300x80000000000000001535665Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:21.692{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6F2CE015A9B59F0587D0C7D971CE45,SHA256=7A6DB8A90BBDBFC12EBF160EA7B4F27BEF6866C73BB47B9CAFC1CB6E169F0B59,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005429106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.971{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005429105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005429104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005429103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005429102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005429101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005429100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005429096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005429095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005429094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005429093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005429091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005429090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005429089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005429087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005429085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005429083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005429082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005429081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005429080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005429078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005429077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005429076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005429073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005429072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005429071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005429070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005429069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005429065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005429064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.955{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.939{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005429062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.940{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005429061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.939{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:21.939{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.939{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:21.939{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.939{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:21.939{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005429055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.736{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.736{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2F19840B6FD4C11C010A9B371C2D5F2F,SHA256=80F8DD999277ACDD11982C27FA28DC488907DD2A45A821D5200759371E5F7BC3falsetrue 534500x80000000000000005429053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.408{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005429052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.408{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005429051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.408{4DF467A6-FD41-6138-2CD4-00000000F001}60045888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.408{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005429049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.408{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005429048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005429047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005429046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005429045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005429044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005429043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005429042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005429038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005429037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005429036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005429035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005429033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005429032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005429031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005429029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005429026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005429025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005429024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005429023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005429022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005429021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005429019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005429018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005429015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005429014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005429013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005429012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.283{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005429011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005429010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005429006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005429005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.268{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005429003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.253{4DF467A6-FD41-6138-2CD4-00000000F001}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005429002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.252{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:21.252{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.252{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:21.252{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005428998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:21.252{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005428997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:21.252{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005428996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.033{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005428995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:21.033{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BC00A21E75A9D5433298119744F378,SHA256=ADD1AFA9606881926D3CF47180589486D509735A5E8C39E0416808A4BB7C7FA8falsetrue 23542300x80000000000000001535668Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:22.694{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D7C915365DFEFFBBEA844F278FFE47,SHA256=E4F9630002FB72ADDEEE752C7F1056B64EBCF53B05DAD5B781631C33CE4B2D60,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005429173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.768{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005429172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.768{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005429171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.768{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005429170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.768{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005429169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.658{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005429168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.658{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005429167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005429166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005429165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005429164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005429163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005429159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005429158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005429157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005429156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005429154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005429153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005429152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005429150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005429148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005429146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005429145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005429144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005429143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005429142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005429140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005429139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005429138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005429135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005429134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005429133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005429132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005429131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005429127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005429126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.643{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005429124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.628{4DF467A6-FD42-6138-2ED4-00000000F001}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005429123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:22.627{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:22.627{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:22.627{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:22.627{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:22.627{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:22.627{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005429117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DA684781B36A1BFEB55991B5319959A,SHA256=9C702C9000D9B2C94B386A0F355E969B9FA181057E73C29E207EA02C9B4179B1falsetrue 11241100x80000000000000005429115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.252{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.252{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D4F3C3A944004A63E62E6BE0576FD0,SHA256=9AE04F67D453F826AAF4D9F2E8C1E019E1CF206C25A98702F480343943CF54D3falsetrue 11241100x80000000000000005429113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.236{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.236{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B58F39B2E04BE0D523753A6B7D9747,SHA256=820EDF37AAF53BDE8FCA3C4D0E63096159A853D7793DED4ED0CEDF9D2AD132F2falsetrue 534500x80000000000000005429111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.080{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005429110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.080{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005429109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.080{4DF467A6-FD41-6138-2DD4-00000000F001}8004364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.080{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005429107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:22.080{4DF467A6-FD41-6138-2DD4-00000000F001}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000001535667Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:15.832{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60644-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535666Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:22.240{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F04A86D7DB81E84E21480DBE4AE6F8F,SHA256=415E8FB403FA9149D0ED7E73F6B5755D34711800F7B023A3FA4A607266AD4249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535669Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:23.697{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CD9FD0F66F40723E3218BD998B208B,SHA256=E10BAD44C96032BBF83EDE78F7381C97A5E9BE8BE32FF9CC1427F8EB8ACE2A65,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87CC2D6C491CC9E7A8455BAE36F7FF39,SHA256=B22F0708C87ACC120629C6E7DD8725BCF53C794B31C0567222BDFCEE4F0C118Dfalsetrue 534500x80000000000000005429231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.455{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005429230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.455{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005429229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.455{4DF467A6-FD43-6138-2FD4-00000000F001}80724968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.455{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 11241100x80000000000000005429227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.455{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.455{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F90140BE322DB9658EB69CEF3118DA,SHA256=3F225033AF0F8086B855C77B38067B1A8CDE654E02F7C19BDE3C12FC1E6B47E4falsetrue 734700x80000000000000005429225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.455{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005429224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005429223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005429222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005429221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005429220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005429219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005429218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005429214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005429213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005429212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005429211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005429209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005429208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005429206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005429203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005429202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005429201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005429200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005429199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005429197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005429196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005429194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005429192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005429191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005429190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005429189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005429188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005429187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005429183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005429182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.330{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.314{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005429180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.315{4DF467A6-FD43-6138-2FD4-00000000F001}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005429179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:23.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:23.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:23.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:23.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:23.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:23.314{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001535670Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:24.699{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0427888F74ED93F2A87BA18AF186761C,SHA256=8F58E6B3E683E5A5AF2D6866FC1568D6E1029DF27E11F4D108BA2B48FE82DB45,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005429353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.674{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005429352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.674{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005429351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.674{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005429350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.674{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005429349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005429348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005429347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005429346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005429345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005429344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005429343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.564{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005429339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005429338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005429337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005429336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005429335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005429334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005429332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005429331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005429330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005429329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005429328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005429327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005429325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005429324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005429323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005429319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005429318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005429317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005429316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005429315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005429314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005429313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005429312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005429311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005429310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005429307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005429303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005429302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.549{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005429300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.536{4DF467A6-FD44-6138-31D4-00000000F001}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005429299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.533{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:24.533{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.533{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:24.533{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.533{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:24.533{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005429293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B97985C68664E41BE1591EED5E823A,SHA256=E81DA7D842B1CFC8F698F6F4E015419EFBB141419F79DBF0EF3221B7EB2A4AF5falsetrue 11241100x80000000000000005429291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694BDECD9227F1B6C1170FC9E66C94C0,SHA256=481AD0907A09D12A55944A53F8EAAC92E8EAECFEB77198D55992E49F2AF03F02falsetrue 534500x80000000000000005429289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.143{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005429288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.143{4DF467A6-FD44-6138-30D4-00000000F001}62125912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.143{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005429286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.143{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005429285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.033{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005429284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.033{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005429283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.033{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005429282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.033{4DF467A6-FD44-6138-30D4-00000000F001}6212\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005429281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.033{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005429280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005429279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005429275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005429274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005429273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005429272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005429271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005429270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005429269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005429268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005429267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005429266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005429265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005429264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005429263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005429262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005429261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005429260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005429259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005429258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005429257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005429252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005429251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005429247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005429243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005429242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.018{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.002{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005429240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:24.003{4DF467A6-FD44-6138-30D4-00000000F001}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005429239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.002{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:24.002{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.002{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:24.002{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:24.002{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:24.002{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001535671Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:25.748{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD537B063D6C273A4AF7672EADE78B53,SHA256=09723BE6F4CF5EBFA478A695D2C3489B5DD661E2A8AC522DFA6885BBFEC995EE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C67E42B61DF84019C213612BDD5CED07,SHA256=32F039F63255EE19C7F104B3FD2E86CB424C0A46B2976C308B47882FE1D30E1Afalsetrue 11241100x80000000000000005429418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.846{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.846{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8463501A8E0324E16D05BB3DA7C3BCF4,SHA256=19B513716179AFA4E47EC459898D670E37EDA0228187A3254D2E49F06EF5C92Cfalsetrue 11241100x80000000000000005429416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.830{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.830{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF08229E3F5B59FB4CA13A2548EEEB1D,SHA256=C090CF43DFE3156084E00F308FF1F6F9E1F4B6FF39135A475271DFF8E11E83E1falsetrue 354300x80000000000000005429414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:11.778{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63397-false10.0.1.12-8000- 534500x80000000000000005429413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.299{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005429412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.299{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005429411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.299{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005429410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.299{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005429409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.205{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.205{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A492790074B0F2CC81BEE1A8A93774,SHA256=F0734FB63FF272B1CF8C8BC7730C8F3ED8D0A09E3723ABD1941920C81146973Efalsetrue 734700x80000000000000005429407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.189{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005429406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.189{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005429405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.189{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005429404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005429403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005429402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005429401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005429400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005429399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005429398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005429397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005429396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005429395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005429394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005429393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005429392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005429391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005429390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005429389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005429388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005429387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005429386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005429385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005429384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005429383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005429382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005429381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005429380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005429379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005429378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005429377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005429376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005429375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005429374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005429373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005429372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005429371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005429370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005429369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005429368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005429367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005429366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005429365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005429364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005429363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.174{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005429362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.159{4DF467A6-FD45-6138-32D4-00000000F001}7796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005429361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:25.158{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:25.158{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:25.158{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:25.158{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005429357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:25.158{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005429356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 18:13:25.158{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005429355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.064{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:25.064{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15CC250ED038C3AEC5486C0516EDE39B,SHA256=0F80EDFC6EF2FA2E594ECEAA8A4E1282276805DE54732F161B3901133329E132falsetrue 11241100x80000000000000005429426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:26.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:26.768{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=450187243987B7AEAFFA8F9AFC266A5A,SHA256=195E73418DDC0F3A7DC6C6C80F62ED90F36160BA11725665BFE9CFC128891882falsetrue 11241100x80000000000000005429424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:26.611{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:26.611{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25FF6B9ED01BB016CC0863207E4E116,SHA256=BD60EBF534BD589F431DA852926233B6A974E19BEFB39F0D822D4D9953E452C1falsetrue 23542300x80000000000000001535672Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:26.751{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BEE229B6D1F16AC1726BB4FDAB4D66,SHA256=987A771738853611CBC941DA7C5632B2BA55CF71A198B2B0D33DA6E607325859,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:26.346{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:26.346{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0771C01528DD83C70A00FE89C846170,SHA256=331890949666A21F0FB9309C0E51F8F3D2BCCF6541AD28DEAA172553549926AFfalsetrue 23542300x80000000000000001535673Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:27.752{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5099785F99956D2CCA05F1654BF510D,SHA256=4EAA5581574D0E2644F3700E628C1894E675015A439BE6130A29D4BCC5E166C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:27.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:27.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7055EF459FA74EADE47A98131726CDD,SHA256=5BC9D251804FB22B1DB2CAD1F2CF9317756763C871137BE0822778B6A447575Bfalsetrue 11241100x80000000000000005429442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:27.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:27.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE9F56BFB8FE7C8E20BC251D1118F76,SHA256=57163228B96253B46FD67667EC8E411352DCD7192E90F83B38547EDB465F0C40falsetrue 13241300x80000000000000005429440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000005429439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000005429438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005429437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005429436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000005429435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000005429434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000005429433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000005429432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000005429431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000005429430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000005429429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005429428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005429427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:27.114{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 23542300x80000000000000001535676Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:28.773{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB201ACD1A52D0FC1F6BD5FED91351DC,SHA256=5B2FD15645BE19A124489A1C7249CF7DA23263721797D3E83A955D70EB2D8B28,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:28.848{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:28.848{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9BA339403EC25EEAD9A79249B7C5C30,SHA256=34C68B96798F20ADF43E00BAB97143B9FC2939A6CC999BA9663CA1C7A5ACDED1falsetrue 23542300x80000000000000001535675Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:28.022{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60B79E852F22F637689572EE69FDE97E,SHA256=CAE92EEBB38A26116B3EF29839D021EEB1A37D4F04A8FFBEE5358408DDB0F9E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535674Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:28.022{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=209233E161907BC67580B8067D14287C,SHA256=4BAC77192B30006478737A383B9CBC00DE040945040823867AFE690BD31446A3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:29.973{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:29.973{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F3C135E1EE9D736C3FDC00EFC26B43,SHA256=534CBA08A8D6BF915D86A449ABDE2BCD39FCD191B904228AC45C4A9DA7599455falsetrue 23542300x80000000000000001535678Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:29.826{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5919D4FFA6B62891687C32B88679D911,SHA256=AC215043C78896B990997A0B057DEC8D54E4F649BFAA68335FDEBC3470F1598B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535677Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:21.678{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60645-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535680Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:30.829{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79262B1D2FEA4019463BE14AFB010B6D,SHA256=610E495587C88892FD5C441403FC86CE603E475EF2AEC3A23C987D35DAB5E8B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:30.989{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:30.989{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=197B5177D35009C277B92C7505142236,SHA256=CB58FD809285113CAE7E336AE51E480B3A28D6A9E647C44F3149CA379AFDA05Bfalsetrue 11241100x80000000000000005429452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:30.895{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:30.895{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5611870E00EADB32505AC3CA167A88CD,SHA256=8F6DAAB7BF758BB2AAAD7E54CEBA067846C8B6B9BCD6E3E560CD89A0A57400BBfalsetrue 11241100x80000000000000005429450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:30.254{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000005429449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:30.254{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4636AB558019A1481B0BF9DA12B19F5D,SHA256=66A9721ECBD59A1A983B78D8115AE89A49E08E39D2E72C432E2D843AA7886569falsetrue 23542300x80000000000000001535679Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:30.097{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7171MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535682Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:31.831{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01EE4812B285F48AA0F3609FE45C78D4,SHA256=7FADC1CDB444A9543F9D26A79CC85C64F3F7A9C2902EDE37BA0D016C7DC54EAB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:31.801{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:31.801{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4AFDDDBD693BA16A1867E38F2DCF7121,SHA256=2AA8F05B17783CF810AD3631B68E603749A694BEF71A350F20A9CF662C7F9AD3falsetrue 354300x80000000000000005429459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:17.733{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63398-false10.0.1.12-8000- 11241100x80000000000000005429458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:31.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:31.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB125145AD91B26249E394F9774E2D08,SHA256=599A48E5F8CD5AE5CEFFF53FEB0BA48F180C473E651D1C696B9078AD9039EC68falsetrue 11241100x80000000000000005429456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:31.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:31.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4500449E095EBC91482572E09580F20D,SHA256=9CE95B0F0A85A007DC810B6EC5D652E73DCF697BF8B23C18105A1DF16CEDF491falsetrue 23542300x80000000000000001535681Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:31.099{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7172MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535692Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.832{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133FCD0B41F7C940548A1F6ACA581E4E,SHA256=69FAC99B28E344F7607193521D0F9BA25ED3A6C4204D1A2078658A134F676868,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:32.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:32.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC103A73175F477E6F2C0DD62B0BB652,SHA256=FC550A8ACAFE91D989EFE3F92648E7A5288A17EBF0A5337B500C4BFA7C38B1DCfalsetrue 10341000x80000000000000001535691Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.617{AEE49BD1-FD4C-6138-3CCE-00000000F101}32203268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535690Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.485{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD4C-6138-3CCE-00000000F101}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535689Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.485{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535688Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.485{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535687Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.485{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535686Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.485{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535685Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.485{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FD4C-6138-3CCE-00000000F101}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535684Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.485{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD4C-6138-3CCE-00000000F101}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535683Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.480{AEE49BD1-FD4C-6138-3CCE-00000000F101}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001535714Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.934{AEE49BD1-FD4D-6138-3ECE-00000000F101}46324284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535713Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.887{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4897E68F01B28ABF99075C5BA07810,SHA256=9A249405B8B01413AF48AEE50F4F9868D77BAA67CD91AAAA42A9ACDE06937B04,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:33.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:33.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9072172547B9DCC6AC5D84935EFA58F,SHA256=F1C380D5D4FA34F21E798FF485DDD15F80BD129427A9CF009018C03DC6E4348Cfalsetrue 10341000x80000000000000001535712Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.787{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD4D-6138-3ECE-00000000F101}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535711Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.787{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535710Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.787{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535709Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.787{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535708Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.787{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535707Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.787{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FD4D-6138-3ECE-00000000F101}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535706Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.787{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD4D-6138-3ECE-00000000F101}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535705Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.781{AEE49BD1-FD4D-6138-3ECE-00000000F101}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001535704Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:26.820{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60646-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001535703Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.232{AEE49BD1-FD4D-6138-3DCE-00000000F101}49445268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535702Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.163{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E11337EE15575401AE0025ACE0A567D,SHA256=76EB550CB263F607A9F7DE90CDE1DFBCE835D0A0018AEF4FC93D8CD9557B2C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535701Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.163{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60B79E852F22F637689572EE69FDE97E,SHA256=CAE92EEBB38A26116B3EF29839D021EEB1A37D4F04A8FFBEE5358408DDB0F9E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535700Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.117{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD4D-6138-3DCE-00000000F101}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535699Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.117{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535698Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.117{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535697Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.117{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535696Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.117{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535695Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.117{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FD4D-6138-3DCE-00000000F101}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535694Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.117{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD4D-6138-3DCE-00000000F101}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535693Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:33.102{AEE49BD1-FD4D-6138-3DCE-00000000F101}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535716Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:34.904{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA94063F4BD8703B223A71DE3355FBC4,SHA256=591E22CC6777F83C18C6349809BAD38B3C69941CC92E0411C2708326361E4B8B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:34.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:34.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1227E93798F671F0B2A4C16A0D380FD,SHA256=F75B53A99A1C52EE07339C52305F04994A530896ADDE5EDCD5E0F63FDD437DB5falsetrue 23542300x80000000000000001535715Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:34.319{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E11337EE15575401AE0025ACE0A567D,SHA256=76EB550CB263F607A9F7DE90CDE1DFBCE835D0A0018AEF4FC93D8CD9557B2C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535717Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:35.923{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591277DFD92F4835AE5CDA1F8C7033EB,SHA256=7363FDBEDA1016D7C98992FA59E39B325FB32752FC5E5EB759B11AD6DEA703A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:35.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:35.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D0B989167FAF4E1AB5B3F04F7D1867,SHA256=B8C3E17A9B7CD574B688B69EBE135F602A4D7EA8E60177243DCF388DB427B4EEfalsetrue 23542300x80000000000000001535718Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:36.925{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55270A07AF3D047FB12FE3CBD1435E9,SHA256=4195DA0A418C9E9FC3CD02F59799691458B7E9102B693AF3E2E2716F51BA7602,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5C582655EB1BDE662131BC6546E7B8B8,SHA256=B15069E020BBA59B961337ABA0273EB8EC3FA97DC6FB53D6FDDD7088F4CDAD8Ffalsetrue 11241100x80000000000000005429475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=49245A3137100CDCB05170E97153D43C,SHA256=1A6C71B17D1F9339EDD2F3B6A0BA3AC99C2D96D2B8BFDA14E550D54CBE68548Cfalsetrue 11241100x80000000000000005429473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B4699D12635AE9FC5A2C16C2FBF00469,SHA256=0EB9A24E4395BFB3A947D7DBD79F43955BBB3173600F9CB68063ECE0034C4EDDfalsetrue 11241100x80000000000000005429471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.348{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EEC0C5764B6DB25CCCBCBA313DD339,SHA256=2BAB81DBAD4B2123E4EAF08363560E8CD080482B80912131100F1836ECEC7F29falsetrue 23542300x80000000000000001535722Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:37.927{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853DAE8FA53F6F57C649B276543D5D4C,SHA256=08B6E8FF851B15ABF2288DA75285DFE9350DF5AC799761F33C154AAA25E450CE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.567{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.567{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DB6C363CDD74A7AD8CC12140C1FDB4,SHA256=F03AE4BC4CA7E707E6C60E5382206D9D84C0BC48FB385EAC0F68AB07318EF901falsetrue 354300x80000000000000001535721Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:30.747{AEE49BD1-4151-6132-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgmfalse10.0.1.15win-host-296.attackrange.local138netbios-dgm 354300x80000000000000001535720Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:30.747{AEE49BD1-4151-6132-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-296.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgm 23542300x80000000000000001535719Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:37.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E4C1A3987CD5A9B3ACF2FCD0EC8CCF4,SHA256=2311536AF5E8A793A527B92B5035B735D0806F9FF604EC7D3B6BD552F489CE66,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=010BCE3937DDBC1ADA11BAD48266A973,SHA256=981BDF54A5AD142B85D50D0E87553F8CD010176FE12D3714284A804BDB564812falsetrue 11241100x80000000000000005429479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF2E52DEE8B73B99660FA6FF73604049,SHA256=46E809FCC930FB9DF3C202270201F2FF73B4CF84939599327CBA32926D2DF9D8falsetrue 23542300x80000000000000001535723Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:38.961{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0160AA48B239B55828A6ED50AD3922F2,SHA256=83874663A7F1878E5D9FE65194E89C10F954FAD539BE0ED251ED57A8BD86FA5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005429486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:23.702{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63399-false10.0.1.12-8000- 11241100x80000000000000005429485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:38.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:38.614{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D49C3A3D77A9ECE9778288003ABE81,SHA256=DC65C18A5925A09AF0B2A72A733839F39BEC7E70E985CCF36F4C32C98E06ADACfalsetrue 11241100x80000000000000005429488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:39.629{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:39.629{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B520DA29CA485ABE46975FB88677D6DD,SHA256=931A105D6CD110DFEAA1336A740FFAD76245C62B5B8D4C1EF91E5F24F4E9BDFEfalsetrue 354300x80000000000000001535725Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:32.701{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60647-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535724Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:39.045{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F270E0C5532C3A226C4E7B6EB1D2488C,SHA256=516897BAE7BD924F3DD70784ADBCB5A656D47D7B440C46387CF2781F3FBE6FE4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:40.817{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:40.817{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A54A8914B99763BA670B8B3CD555A3B,SHA256=BAECEF521F0795C18D876938DCC81F57A7F8AA770B30FC89415E26A513B9BFEDfalsetrue 23542300x80000000000000001535726Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:40.002{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3744A6FA328D7BA02C88E104D03360EA,SHA256=A36645E1420E49836E81AF30FD00483697AC3B101BAEB1F8BB24803CB57E3AE6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=704CC7F27A9D2A39596E11AE8B7E809B,SHA256=F28B80B712BCD63CA8DE7DAB5D7BDF7D1558225FBC1490A42DC811D4C4C86056falsetrue 11241100x80000000000000005429496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.833{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.833{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5875D3B86DDD95AE59741BB2342D407E,SHA256=0E72F56C6F403CB591E19E621C4CF1FEDEDE335A8DF91E30AE8374B9D9CBF6DCfalsetrue 23542300x80000000000000001535727Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:41.003{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BAB0FFC178EFD87EC5BC6F5372A1C2,SHA256=EF4F66536C445033D954C6A7BC4143F17C467738C3C3FB3E0FDBF049F0DADBFA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1D643CE4137087D5487B6DE3C2DFEDEC,SHA256=AD51DCE31FDAF318F2CAB4D387FDC0C388BDF08B7B4A4F51252CD429A8B4A47Cfalsetrue 11241100x80000000000000005429492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:41.145{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=74AB84FB0EE1E5EB54041F3883CCDF45,SHA256=BB5473866D742CA382BECC1E2E16B0B1EB98550D7A99F68F400660345EB0BDC7falsetrue 11241100x80000000000000005429504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:42.864{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:42.864{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970B0638B3923EB9B41E35E58069A1BE,SHA256=9F5AD0B63DB5D5084C64A1EDD2E4DFE802180D53F41CC2077376FAB494DD0361falsetrue 10341000x80000000000000001535736Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.887{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD56-6138-3FCE-00000000F101}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535735Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.887{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535734Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.887{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535733Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.887{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535732Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.887{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535731Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.887{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-FD56-6138-3FCE-00000000F101}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535730Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.887{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD56-6138-3FCE-00000000F101}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535729Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.872{AEE49BD1-FD56-6138-3FCE-00000000F101}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535728Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:42.023{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36E6084FFC82F630ED78EF4ED8099A9,SHA256=5C00AC113251665EB8677B60A6535DE38AC4F5E4D8617249EEAE621C36FD94A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:42.254{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:42.254{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA5BD22CCB441EE26EE683FF0EBF149E,SHA256=C9FD608AD3A9F0878CEC4952B2A3164F8E55880FCF23F7B0ED2373B8AFC2C6F3falsetrue 11241100x80000000000000005429500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:42.254{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:42.254{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=010BCE3937DDBC1ADA11BAD48266A973,SHA256=981BDF54A5AD142B85D50D0E87553F8CD010176FE12D3714284A804BDB564812falsetrue 11241100x80000000000000005429507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:43.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:43.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA03955C714AF297F02AF6F4713E2C1,SHA256=B3056F974602E18D3BD8D3024633CE5FDC3D8175D7F844176F5E1A545A5311D1falsetrue 354300x80000000000000005429505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:28.889{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63400-false10.0.1.12-8000- 23542300x80000000000000001535738Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:43.874{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=535A562309481EC2C03E0F403DBACBBD,SHA256=448258EA03FDDBAD1F91FE9F0CD4F121417F81F0AD56F41EF9CE8969C6D94F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535737Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:43.025{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B964D5091E95DE457B56FD6FCC995EC,SHA256=B06AB6F5F6A21CAC73250AD8B2AA7CE67EA52E71D47E7A68BCCFD49D997DC8B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005429534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.176{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001535740Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:37.864{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60648-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535739Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:44.028{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65D680F73DF9CEB7498DA6B2A399885,SHA256=D8132F58FAE03E55E44AB74A406873BA606B226ABEC76EA944DF1E42E417E149,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:45.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:45.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF4DF23534ECD5F4349F431D437BF8DF,SHA256=9904A5B91451D0568DCBEA3A8BD6896C7D451A48104DD9EABC60CA215D3B4289falsetrue 23542300x80000000000000001535741Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:45.047{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B4C99867A2D4BC81DB4F22C04BBFEE,SHA256=CB7D403794ECACA07B63AAE9CC1E79DE1EB3A684CD80ACF7460841490C1BADD6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.956{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.956{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8CE374381B381333603409988281D475,SHA256=5ED16744A4FC13B08B109BF3BE14C61FE9DB59E923A9A4E181C068800996DAEEfalsetrue 11241100x80000000000000005429542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F891FCA9ACED9D1E526DC04B27C73C2E,SHA256=E3E3841F8F0C1A2710631B53E243C44BFA0EE8DAC8302320FA9FF50988F248E7falsetrue 11241100x80000000000000005429540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0BF41566A97E1B3146A3BBFE3F499A43,SHA256=37517BA75E9C42C2E13DCDA9E608963565DB1D4103B3AAA806196287FD30B27Efalsetrue 11241100x80000000000000005429538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:46.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2F37F1D8DE154BF7489C69C89EC7E8,SHA256=00B7962D5BE569A5431601A36BA48C9ABCDA3EE6A0E494A9230DE1D0EF38C559falsetrue 23542300x80000000000000001535742Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:46.049{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CEEAF3C84F671DA2369D4DF4784EB9,SHA256=87EE7DF704238F69E71AE094A7BE0D530D98B17927C3E0A83D72C5B05C596264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535743Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:47.099{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A1B0CF0EC8872F616485B21F28C722,SHA256=C7625077FAFD5F46CD0556C64CE5353907A30E040ABC9D92C21EEA703B1D261A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=091E0BF2A2475972B89F62DDC6DA4A6C,SHA256=26A38F55DEF4CC275DE02839B3E47EB0D42B237A2EC1EAE9365F3450FC64ECA0falsetrue 11241100x80000000000000005429550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA5BD22CCB441EE26EE683FF0EBF149E,SHA256=C9FD608AD3A9F0878CEC4952B2A3164F8E55880FCF23F7B0ED2373B8AFC2C6F3falsetrue 11241100x80000000000000005429548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.659{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005429547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.659{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005429546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.393{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:47.393{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4789CF7B6706D8510D2DD217342CFF6C,SHA256=89E142261A2FFC0C57F06A45E0C3681321451AC646BAA4074ABF4A5EEA5BE399falsetrue 11241100x80000000000000005429554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:48.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:48.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED62B8CB41A63F083E4AA53952FCF7E8,SHA256=572E1503A4AFD08D5C9DCB85A038E54C6B4FFBE5BD0CDC29524B7982143A246Dfalsetrue 23542300x80000000000000001535744Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:48.119{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF8C653F0AB08187D244F06B8B01DD6,SHA256=7AC1BC79FFF008B5BE9643798589632EE29C535530BA34B7CA7DF26D85534BE0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:49.581{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:49.581{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA374275D6C61F40A799B5A5DD43FB0,SHA256=4E98F67DEAAE3421BD44663AC199E66FD7649CEE05E83B395220B0E5187C0E33falsetrue 23542300x80000000000000001535745Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:49.121{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBA63BA132C2F81F5C8416B1E164335,SHA256=AA71A022E64BB8D450F219D54A4D706FA3C7D6FB18E12FD6C1DFDF5A739183D7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005429593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x80000000000000005429592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x80000000000000005429591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x80000000000000005429590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x80000000000000005429589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d7a4dd) 13241300x80000000000000005429588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0x45a5c0d6) 13241300x80000000000000005429587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d7a4dd) 13241300x80000000000000005429586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0x45951026) 12241200x80000000000000005429585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x80000000000000005429584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x80000000000000005429583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x80000000000000005429582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x80000000000000005429581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x80000000000000005429580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x80000000000000005429579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x80000000000000005429578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-291 12241200x80000000000000005429577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000005429576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000005429575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x80000000000000005429574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-291$ 12241200x80000000000000005429573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000005429572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000005429571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x80000000000000005429570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:49.393{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-3F3E-6132-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000005429569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x80000000000000005429568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.393{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x80000000000000005429567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000005429566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248\lsassC:\Windows\system32\svchost.exe 12241200x80000000000000005429565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005429564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x80000000000000005429563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-west-2.compute.internal 13241300x80000000000000005429562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-291.attackrange.local 12241200x80000000000000005429561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x80000000000000005429560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 12241200x80000000000000005429559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005429558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x80000000000000005429557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:13:49.284{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 354300x80000000000000005429556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:35.294{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63402-false10.0.1.12-8089- 354300x80000000000000005429555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:34.653{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63401-false10.0.1.12-8000- 11241100x80000000000000005429599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:50.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:50.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E12E852A6807A653273F73B54ED584,SHA256=2B7B4F73290E2F5E2B8153B5ED6670EC1FDC8C81EC2BDD0D25312DB17BBE2C44falsetrue 354300x80000000000000001535749Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:43.780{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60649-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535748Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:50.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2E382836B131C4B959CAD44AE896771,SHA256=4322DC2DD1D129E89235480D02385889C85B7360D4484A9EBA70165A81F26AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535747Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:50.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F25BD1CB01E3537405AD320FE132B2D,SHA256=2DD222C1A50018623F9192A8540A0E46D2A0A69A435BC623170CEACA38F77CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535746Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:50.124{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BB9A643F12FD7CE3F9F1BDA6B167432,SHA256=3F0BA0D7AA01C8F3CD8DED899B5F13C2B3D85CAF60C7D76B529623DA16E417E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:50.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:50.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=091E0BF2A2475972B89F62DDC6DA4A6C,SHA256=26A38F55DEF4CC275DE02839B3E47EB0D42B237A2EC1EAE9365F3450FC64ECA0falsetrue 11241100x80000000000000005429613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:51.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:51.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66CABD8DE71283C7DDB09A0C1C2C0DDE,SHA256=242FF53672B26DE84218727F746E4625F09F9E033C94A75252FB11D902F2FAC4falsetrue 23542300x80000000000000001535750Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:51.131{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4601B5138A6D1B3A623168204B611C22,SHA256=58D2A6E4C495F1C2E4AB0F40A7FC8E7CE6FD016D04C9CED7AF0DD9C84FA31831,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:51.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:51.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E41E1BCB6748EFEA13E8232A560791B6,SHA256=DC732524235F3E1244FB3C3872632825BB8472D794C2D6915C1534181939BD13falsetrue 354300x80000000000000005429609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.218{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-291.attackrange.local138netbios-dgm 354300x80000000000000005429608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.218{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-291.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x80000000000000005429607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.046{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63405-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000005429606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:37.046{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63405-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000005429605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.943{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-291.attackrange.local63404-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000005429604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.943{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63404-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000005429603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.937{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63403-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005429602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:36.937{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local63403-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 11241100x80000000000000005429601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:51.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:51.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=38E794711C77AC7A7BE31A7944EABEDF,SHA256=D5D421C2F9DB14D11C235B8FA4CA77CC98177BA5C0A8CCAABC48CD901E939AAEfalsetrue 11241100x80000000000000005429617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:52.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:52.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D1DB1E4EF3DBB7AA6BFBFDB484B044,SHA256=95FB139B1ABA374381AFDE1D353047A5850DBEFA09E1EDF54ACE239197392355falsetrue 23542300x80000000000000001535751Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:52.166{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45655834FEBB96DC546C805AB1E2000D,SHA256=248B0EDE960800E1CA71FCB969661E5B8E6DD680B1F20C65D48D65C0E9891630,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:52.003{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:52.003{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2EF91319CDBDB11CF8E1F622494EC3E6,SHA256=212404F24CBD9F47D075E583F5819E152F841EDE6C003F7A3F576303D5748F93falsetrue 11241100x80000000000000005429621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:53.690{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:53.690{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8955CD716D792CDEC182833C4FEF70,SHA256=57AF8172FFB88FCF2C92EB598A9724501F3F5B2EBE3FE7CA5D96499C4E98B42Bfalsetrue 23542300x80000000000000001535752Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:53.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119B7F78F3BE3427C9367DC2A5EE783C,SHA256=A44FCDDDD15C0C21638E8B32853CD64E737B35C81863092C020CCCFC94547B51,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:53.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:53.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1241733AD0F9EA8C1CE4A73BCA0291F8,SHA256=E74F10A0133206DC9388869DE74D570A2A99E5DB59B28A99FC7506501DC6B4FDfalsetrue 11241100x80000000000000005429624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:54.706{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:54.706{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359AE59D45D2F32A6EDE903BE896B607,SHA256=A65C2808E013470EA5D28C2A703E83590F7E75DC255D3C56DAF7C4CFB0678D1Afalsetrue 23542300x80000000000000001535753Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:54.235{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D015FD6EE2EF5A0199D7B567A5B1723,SHA256=9ABCE89298EA71DB3E9650EF7FBDB9599689FE6E119A1743143B655DA7623D3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005429622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:39.887{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63406-false10.0.1.12-8000- 11241100x80000000000000005429626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:55.721{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:55.721{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FAAADABC7EC2EDEF4C32F5C5BEA2D5,SHA256=3FA877B02DDF7842AD359CF57E2EFEC6BD6B29E308D9B71C97C2E4957E5D8FE8falsetrue 23542300x80000000000000001535756Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:55.290{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A047EBB2420E6B63D9D4BE581F9A3B6,SHA256=745A0BD29293644764923F276220B61764928C4EC35FAB2A8F52CD596C68C193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535755Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:55.290{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2E382836B131C4B959CAD44AE896771,SHA256=4322DC2DD1D129E89235480D02385889C85B7360D4484A9EBA70165A81F26AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535754Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:55.238{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46C749CD67B075C1D41BCA26358D01D,SHA256=21532AF28F8274BF75DCD8AC82F4A68636FCF6E10479666EC4DBE702F996A6B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:56.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:56.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F7DDF0441411F4FFDACCCFFB50514A,SHA256=ED7C1226DF68BF993C4A1BD2867DEC99951DB0A51ED8864AEA73A59031B5A300falsetrue 23542300x80000000000000001535758Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:56.241{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D196F7370963EF3DD837763F8B4D5C5,SHA256=B7D7AEAE2E0BECB8A8DE6B9D55E003E5993D7EAB739C48FA63E95A736200A750,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:56.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:56.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7BCE88E76B47A4F1ED7E223A3EF30EAE,SHA256=644F13750E471EDF86042E1677A6449F9E173BC0FB79FC0E668420E16B29C2F4falsetrue 11241100x80000000000000005429628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:56.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:56.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=590ACB8BBE9975FF484A8BCEDB228EB3,SHA256=1A83130F888E920EE7F4AB5CA8AFB28D5CA9C3C8A88387C3D49FB48CB94E385Cfalsetrue 354300x80000000000000001535757Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:48.844{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60650-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005429636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:57.799{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:57.799{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88ACD98131A58EEE46AF219C7B1DE369,SHA256=764D2BFD25521184AC64CE96D297374F14D3110DEDCCC836F714AA5F67071E4Ffalsetrue 23542300x80000000000000001535759Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:57.248{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A5C7092CE4DA556E75FA9A630ABAC3,SHA256=B10E0F74EEE54C2A94FA04AC70E1C6A99CB4105749C1AE2A041368EB4C90EBE3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:57.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:57.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4DC372A6CD528D203A7DFC24C4E4DF9F,SHA256=715488DF5A3439C5CCB8A748CC49AA53FD44C86C09C7DF5D2E5A81C12BFA42A1falsetrue 11241100x80000000000000005429643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:58.831{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:58.831{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21919DF66BADE4633B84887283E2E51D,SHA256=D913F18D1D68AE6D0106250554256ACE9D54337E3088D039134887467D314F11falsetrue 23542300x80000000000000001535760Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:58.282{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8000F8F56CA2C7EA608F909687D3654,SHA256=F2D02AFF8FDB9764CB05E97917F594E41F6161122552299C6E4258E0DAE96F9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005429641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:44.902{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63407-false10.0.1.12-8000- 11241100x80000000000000005429640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:58.315{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:58.315{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C202EDD13CFFD6598076DDAD37500563,SHA256=00F31C9887295D9EBB2CCCD62EADB0241B7D51F945513185E0F43D1F174B2624falsetrue 11241100x80000000000000005429638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:58.315{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:58.315{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0FB1CC481D1385D3D2FFDCE076A9372,SHA256=D5E44EACD0CB838234EECF2B141E8056C04EE4B75EEDA1B83D988E432F40C800falsetrue 11241100x80000000000000005429645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:59.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:59.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B5C9417F9FED28CA5B37F2CA1B4B66,SHA256=D07F77911AF13CB1AC307A384FECDA0D45AA6CACF1D474988108120ED59C6A83falsetrue 23542300x80000000000000001535761Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:59.285{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26681E8E5193AD82F3BAA76F5AD17E3F,SHA256=8BC8CBA6AF38262B933BC28D81FBE16792AD235E4CC814925B384FA0050684D5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:00.878{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:00.878{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DAFC755BE968BCA4EA43F9B650F6496,SHA256=9732BD6C393F64B494A562AB9E8F7980F3FC5934144AE5BA43D02863BCF0EA06falsetrue 23542300x80000000000000001535762Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:00.287{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92EBECA5A2C062079555DAC178090FCB,SHA256=D25528D3F45470AF9DD4C3234CF383043692490962C0F4D23C33C857898EDFE2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707F3572646922EC8EE805D23D39B383,SHA256=82728DB84CE89303CACEBFB429A7151E24A9E7F1193C59295DBFBEBA1699A26Bfalsetrue 354300x80000000000000001535766Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:54.728{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60651-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535765Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:01.336{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC30F118DF3A0A05A60308B19816CBF,SHA256=BBFD14F243A9A3314B1893F1EC22EA8E4E207EE95D8687AE123738EACA37C120,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A5AF1F4480F5D282AE44517A0F08D6AC,SHA256=8C2ADA457F48E95CA6A2730C37DFAC4CFCEC5CFDC1861CD840CF44B45B09935Ffalsetrue 11241100x80000000000000005429651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DFB12B4FD8F1B7AF37C80E4DC7F72B18,SHA256=C6AF93F4732C7B3EA7A12982B41783D394D34585FEBE2284B03F73E7AAE2534Cfalsetrue 11241100x80000000000000005429649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:01.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C202EDD13CFFD6598076DDAD37500563,SHA256=00F31C9887295D9EBB2CCCD62EADB0241B7D51F945513185E0F43D1F174B2624falsetrue 23542300x80000000000000001535764Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:01.120{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7142ECA2CB84844D5BF27C4DC9F864C1,SHA256=8E65C030ECA35E1DFE2AC0A9831386E0D0818A174FCD0F3AD85FF392FB5D4F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535763Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:01.120{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A047EBB2420E6B63D9D4BE581F9A3B6,SHA256=745A0BD29293644764923F276220B61764928C4EC35FAB2A8F52CD596C68C193,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:02.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 11241100x80000000000000005429660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:02.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:02.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E70768354ADE9F53BF69D03C43CDE5A6,SHA256=051CB519C351AB574D00F91F11DEB4E5A3A90A89BB588C76E9EFCF5F3D97FA23falsetrue 23542300x80000000000000005429658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:02.924{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56410A3BE121BE53BA3971551F72BDA0,SHA256=414F3D425B0E1081EA2F487C8787352EFB310A4718DFFD2902AD12BA854959A3falsetrue 23542300x80000000000000001535767Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:02.357{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05869A9FC6E429E6ABDD55494634BF0B,SHA256=502A93F8BC8061B1718DD600AA755737D0D9C9F1F5D5498669D391D47083EB84,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:02.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:02.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9BDEBD157687739805D77E9CC1EF6C54,SHA256=598FA5765B80928FE81288DD8048A42B12CCC17FDCB7F0D21B858B41D40322CCfalsetrue 11241100x80000000000000005429663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:03.940{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:03.940{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FE4879A4ADE80AD6AF814502EB9F02,SHA256=7757043F6F6ABE9E81DD7C4FF5F6F9D885AB0AEF9E33618E4D773A31BE7D4822falsetrue 23542300x80000000000000001535768Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:03.359{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B49AE8EF0E765126D36C9A088DE7F1,SHA256=BB68538B3A4E33B2576F40540755B46D5557C33A9E15BEAD207EA12EB30D0CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535769Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:04.362{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=388B3D7EBFE6FDA7C7000E997FB3E6F4,SHA256=F0E29E34BBD1CC56D7687C09529EDA476B7CBB6F54F6FD3B1EEE7033EE54B93B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005429666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:50.840{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63408-false10.0.1.12-8000- 11241100x80000000000000005429665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:04.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:04.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DD5A0DEDB354FFD871BE0EBD1C78DDE,SHA256=38600062014C582EDC811F8DDBD6C1477951AACEEB0B0DF305D49E207E68F9ADfalsetrue 23542300x80000000000000001535771Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:05.786{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9E8519FD821D6B1F7BC1EDC70EF4BACA,SHA256=C4543569BD12B68091BC7ABF31CBC576079E49D1E0D54FBC9945EED90B760922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535770Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:05.364{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B184E95C6493ACC6A80238B0E462D8,SHA256=ECC234D3EF2ABAF42AC86CCA39464D610A10BD054A98C2067DC9646F9B14EBAE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:05.003{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:05.003{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2E36A64F70F9AA5B9E0932E0B42EF6,SHA256=8BBACEEB68A21106CD67B2E652587C2E54A508E8D3D835E4B498859AF2EDFB6Cfalsetrue 11241100x80000000000000005429674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:06.378{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:06.378{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E85609C89F03FC86243A95CC7633BC51,SHA256=78644F701CE9E4A50DB945A5010BF45E8810CA554963F5DDE44525A85C430BE7falsetrue 11241100x80000000000000005429672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:06.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:06.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C91CF6E775FEB8005AC842F946FC63B4,SHA256=4838C47E8BA152AB1E0A151FC25B15327FC5547493B746CAD17491917E518178falsetrue 11241100x80000000000000005429670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:06.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:06.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4804E24AFA4D7DCB0175CDD6FF1F03EF,SHA256=F701D58E7834212C4CB891C78D2A0BCD31366D8CD6B496483ACA59A5E4F294F1falsetrue 23542300x80000000000000001535774Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:06.371{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5056D357BE38733EDF55BE9E0CF1BE69,SHA256=6BEF22D90B26EB7417EA0657FE8A2F375C66AA26518AAF7D7C219CA6878AE47F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535773Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:06.249{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DE6A82D5B34C54B67F0290A5491A1A7,SHA256=BFF3D0D805DF4CB1B0E5E0BF794EBF0C93561833BA04270EA7E6425D62FA1D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535772Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:06.249{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7142ECA2CB84844D5BF27C4DC9F864C1,SHA256=8E65C030ECA35E1DFE2AC0A9831386E0D0818A174FCD0F3AD85FF392FB5D4F02,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:07.970{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:07.970{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33C6F5B1533BCC44B4BC5F7A8C27428A,SHA256=B1367434DD3E9D80DEB4DA0D230BFA8EF11044B69D4A8945EA56DFFF1980E83Afalsetrue 11241100x80000000000000005429678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:07.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:07.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C269C608876F719DC8024E6A357E734C,SHA256=8BB2F00917FB718A7F0C4A2F221F4F3035E340BBCA1A84A55A90E42614FDCDCCfalsetrue 11241100x80000000000000005429676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:07.048{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:07.048{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96FDDEB7024D82F920456181997BA6B4,SHA256=7C2786A46D1D929A0EFD9595C53F45C69FCA6920100527AA7DFB5F2FC3F23CC7falsetrue 23542300x80000000000000001535778Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:07.389{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=966B078596CF0D919E63260D88E0AC03,SHA256=F78A5483CA50762417FF7F7342E0752977C387326F52AD7E5F5E241E55435222,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535777Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:07.320{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-0F00-00000000F101}932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535776Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:07.320{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-0C00-00000000F101}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001535775Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:13:59.873{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60652-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535785Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:08.392{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52424B9A792AFD9D2D05FFF3DD7C9E1F,SHA256=DAEA63FBFD7ACB36E1F2A4B5916375BFA54B71D06ACD2E7A36DBEBC601EE5854,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535784Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:08.392{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535783Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:08.392{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-4463-6132-B702-00000000F101}3756C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535782Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:08.392{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1F00-00000000F101}1968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535781Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:08.392{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1600-00000000F101}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535780Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:08.392{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535779Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:08.392{AEE49BD1-415A-6132-0D00-00000000F101}7883920C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-0C00-00000000F101}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005429683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:08.127{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:08.127{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDF5EDA61DEA1E22CA21BB17D53E9AF,SHA256=E9DF29804A1CFD0580DA494BE2832E297E86D7B38CF16461A222FC06D6EE376Efalsetrue 10341000x80000000000000005429681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:08.064{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001535786Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:09.394{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E628010DF9D1F832D0691BEAD40C98,SHA256=574C7557141E1B7D1DF1E8833995810DE68E68C7E9CAA9CD44500BE6335CF0C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005429692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.173{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.173{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-7BCD-00000000F001}976C:\Windows\system32\taskhostw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.173{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-7BCD-00000000F001}976C:\Windows\system32\taskhostw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.173{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.173{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.173{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.173{4DF467A6-3F47-6132-0D00-00000000F001}8968084C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005429685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:09.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC4204316329C9EBDAE05FC25AE69B6,SHA256=286D044990959791E9D6521E738D6AC12ED1500583A7A5AF922EC9D3252931D1falsetrue 12241200x80000000000000005429698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:10.236{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005429697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 18:14:10.236{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005429696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:10.173{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:10.173{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B150119C8CB3A9B93755F7A0BA839C,SHA256=757F879892F59399BD7DA2CD81FD30CCF4966734AD2AB9D448EF4157F0D51A0Bfalsetrue 23542300x80000000000000001535787Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:10.412{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CBE28C57BB8B3FECE2534DFA754497,SHA256=65478D96E1632DF0E53FBFF5D872EDF2F46D7DAC367797A6EA2B7BC3769B759A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:10.095{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:10.095{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB7A0D683A9B66347758A11BA9495190,SHA256=A1BCA516EEEB39AC3B08A96E8257A4123477A9074E3FE59C3C76178C9C8F528Efalsetrue 23542300x80000000000000001535788Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:11.414{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0618BF7DAC70C281E499C06009542499,SHA256=F2347DE6D71531310685B0C9207640A4CDBBCAE33E2C3B5466FF7BF54983EB90,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=94B775EA2B8135710535F815B8FE37BF,SHA256=0C1AF5A77452C3B5A897D0B50EC22EAC8A0D43AC4C14D3AA065CB7AF9526BCD8falsetrue 11241100x80000000000000005429705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4C746A509FDE6F3CAC24973C48EC4BD1,SHA256=02AEBF10B5D126233655900D6BBC48A2B25CBD16A87CAEEB24653DDE53561A2Efalsetrue 11241100x80000000000000005429703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.252{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.252{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D2F7A251CFF07560CA8773AE3A7EDFB,SHA256=8069C8181107890E065DD8C84396E6606B9D7EFC66B1493F83E2379732065AFAfalsetrue 11241100x80000000000000005429701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:11.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA816C98D3593D298DAEA63013E962D4,SHA256=863DE02F9ABA57039098F87B5B80C95194AC89013ED9EF5E0CAEFCAC5A18BFF2falsetrue 354300x80000000000000005429699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:56.714{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63409-false10.0.1.12-8000- 23542300x80000000000000001535791Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:12.463{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A73E6299AE58639FC1484B8FEBFD7DE,SHA256=76EDDD9DDE769980EBAC1446D917CD3B0FE535A0F52FE5E464C07393CB74D920,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:12.236{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:12.236{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=14B67E4082AF31D4BEF6D9D3D00751DA,SHA256=091A945A466CF709DEEE460E7C17A7C43E9B3BC68C8FA6897C27352CAEE98A2Efalsetrue 11241100x80000000000000005429711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:12.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:12.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964F44CEA9B39181C1DD37ED12785151,SHA256=4C039F1F76A3FB9DA7C87FB829E948ABC313F0FFA803B85F62775AB69A167947falsetrue 23542300x80000000000000001535790Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:12.216{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC7327EABC26A9FD1024316F27045A4E,SHA256=D07062A92BDC0E394B0276F1182BD7EA8D7EEABCE9ED5A93206DDB69A529370E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535789Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:12.216{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DE6A82D5B34C54B67F0290A5491A1A7,SHA256=BFF3D0D805DF4CB1B0E5E0BF794EBF0C93561833BA04270EA7E6425D62FA1D87,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005429709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:57.886{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63410-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005429708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:13:57.886{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63410-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000005429715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:13.267{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:13.267{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B32705EC262F0610717886D7BE3D12F,SHA256=A2E16161F36202E6D93C6690D1C9E26EDBFF76C422329303BC8FC87524F74228falsetrue 23542300x80000000000000001535794Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:13.483{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA24EF784171C4CE19682F446F01FD8,SHA256=C26086531E720AE42630B9A88852296DE20D697AE04D051A311A5B4C16768AE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001535793Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:05.856{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60653-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001535792Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:13.065{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:14.298{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:14.298{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49DBD3C235912B992964470FEDCCF862,SHA256=6587261689014F9335090806B90AD910FF2B8058D1D3CFF1F8A5EDBE08EF5E04falsetrue 23542300x80000000000000001535796Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:14.487{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1ED1DA6E620A741E9CFD154CF330FCE,SHA256=7A92FA97243BE62360D6EF36C30AFC1C9A8D781077A3A9A64EF8CA5F57F2ACE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535795Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:14.052{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC7327EABC26A9FD1024316F27045A4E,SHA256=D07062A92BDC0E394B0276F1182BD7EA8D7EEABCE9ED5A93206DDB69A529370E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001535798Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:15.489{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398A74436FD15B2DD22D72AB765CB0ED,SHA256=4F3810E95317D22A77C511F1D8B5157836F305185A8EE2BD4C97C59F97D2A61F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005429722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:15.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:15.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976C293B542B00BD5EAE6E81A167EAEC,SHA256=011CCADC818928CD6F167729C49BE0104C3D462E21E5097353F0CEAF83CD4B03falsetrue 23542300x80000000000000005429720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:15.130{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7181MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005429719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:15.129{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-71812021-09-08 18:14:15.129 11241100x80000000000000005429718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:15.128{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-71822021-09-08 18:14:15.128 354300x80000000000000001535797Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:07.707{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local60654-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001535799Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.497{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFDF3FADA09805AB9CC16C1C52A05EE,SHA256=5114139DAD93F3B44A177959A12C902DB235B437750A576F8CA62D210578F0F2,IMPHASH=00000000000000000000000000000000falsetrue 24542400x80000000000000005429736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.624{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe2user: ATTACKRANGE\administrator hostname: C02DN3AYMD6PMD5=19CB0A0AB26D7B1E4CEA4D768C3E66EC,SHA256=195F7DAB2FDCE53F066BF2990FB026E2F10B5C67B8A17D88398A4A5489F1AC9Etrue 10341000x80000000000000005429735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.624{4DF467A6-3F47-6132-0C00-00000000F001}8366288C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005429734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.624{4DF467A6-3F47-6132-0C00-00000000F001}8366288C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005429733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeC:\Sysmon\CLIP-19CB0A0AB26D7B1E4CEA4D768C3E66EC195F7DAB2FDCE53F066BF2990FB026E2F10B5C67B8A17D88398A4A5489F1AC9E2021-09-08 18:14:16.624 10341000x80000000000000005429732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.624{4DF467A6-3F58-6132-2B00-00000000F001}29486384C:\Windows\sysmon64.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005429731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.484{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.484{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E49B8F37DF816B2DDF53F268BCCA2D4A,SHA256=1BA30BB99BDBA21E79484F591AB577E9B4C1F27A9409CD7B22298573C4C1E9CDfalsetrue 11241100x80000000000000005429729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=36694A886988315B2A205F58057BD44B,SHA256=AFDD7F0BDA45B8FE95D0410A50AC3001657E1E6ABDF5E30A9383B569A85BB863falsetrue 11241100x80000000000000005429727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FB37F39275F650EE02AB130BA862DB,SHA256=068D5E3D6E9E824E75FFDA55562833BCD37A6C4378F0100DDABCAF2B956A9995falsetrue 23542300x80000000000000005429725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.143{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7182MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000005429724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.111{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005429723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:16.111{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBAACEA87D197B59590182EB39FB4791,SHA256=F5D4F3015ED04667A03771CFDCFC1F75C4D74C9347CCF3BAA4ADE7647A556CC8falsetrue 11241100x80000000000000005429741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:17.627{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:17.627{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55138FD873AD2B94389A83F861B6CFBF,SHA256=72E7A5A2B1ACFCC24FB289409DC3D5620505EA8AC2487CF9D61B86342E20246Dfalsetrue 10341000x80000000000000001535817Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.677{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD79-6138-41CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535816Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.677{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535815Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.677{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535814Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.677{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535813Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.677{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535812Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.677{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-FD79-6138-41CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535811Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.677{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD79-6138-41CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535810Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.662{AEE49BD1-FD79-6138-41CE-00000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001535809Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.515{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EA76154273951683774845C08EBCB4,SHA256=C5769147793780A6FC5EDCCFF00005BDBB24A08C7A217ACAB90D3BA63C96DC5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535808Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:17.130{AEE49BD1-FD78-6138-40CE-00000000F101}54922028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535807Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.998{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD78-6138-40CE-00000000F101}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535806Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.998{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535805Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.998{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535804Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.998{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535803Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.998{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535802Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.998{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-FD78-6138-40CE-00000000F101}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001535801Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.998{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-FD78-6138-40CE-00000000F101}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001535800Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:16.993{AEE49BD1-FD78-6138-40CE-00000000F101}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005429739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:17.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005429738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:17.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=60CAC0D3A2C9304DB743074515FB3543,SHA256=E2986E687AD6AD72783D2C3839EAC4E930147B8C49349E4FF476D4BC486024B0falsetrue 354300x80000000000000005429737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:02.746{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local63411-false10.0.1.12-8000- 11241100x80000000000000005429743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:18.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005429742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 18:14:18.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451BDD34859A40D11861FE23E5E813E0,SHA256=9B2ED1DBE73ED7B761EFF920FC2A38EAA7133EB8B779A89362E312FE0853E14Cfalsetrue 23542300x80000000000000001535827Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:18.546{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC06BAFE0A4D889FC9C74D37C38A4342,SHA256=0C0192C0C35628190D08FDFEC3E5468B0C8D02AC16886CBC3929BEA52BDA6A3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001535826Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:18.362{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-FD7A-6138-42CE-00000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535825Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:18.362{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001535824Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 18:14:18.362{AEE49BD1-415A-6132-0C00-00000000F101}